Disclaimer – The Website and Manual
While every effort will be made to ensure that the information contained within the is website and manual is accurate and up to date, the author makes no warranty, representation or undertaking whether expressed or implied, nor does it assume any legal liability, whether direct or indirect, or responsibility for the accuracy, completeness, or usefulness of any information.

Disclaimer - Other sites
Hypertext links to sites outside this website are provided as a convenience to users and should not necessarily be construed as an endorsement. Although every care is taken to provide links to suitable material from this site, the nature of the Internet prevents the author from guaranteeing the suitability or accuracy of any of the material that this site may be linked to. Consequently, the author can accept no responsibility for unsuitable or inaccurate material that may be encountered and accepts no liability whether direct or indirect for any loss or damage a person suffers because that person had directly or indirectly relied on any information stored in the hypertext links. Further, the author is not and can not be responsible for the accuracy or legitimacy of information found elsewhere on the Internet and there is therefore no guarantee or warranty that any of the sites listed will be available at any particular time. The author does not guarantee or warrant any services that might be announced - use at your own risk. The author makes no warranty, representation or undertaking whether expressed or implied nor does it assume any legal responsibility for the accuracy, completeness of usefulness of the information in the hypertext links.

Introduction During the “.com” gold rush, I decided to set up a small website dedicated to Caribbean art. The
company I used made it really easy, all I had to do was copy my files to the web server using the username and password they provided. One day at work I overheard some friends saying that they were hosting their websites from home using their DSL line. I suddenly decided to do the same and moved www.simiya.com literally “in-house”. Of course, it wasn’t as easy as they had made it seem. I generally found a majority of Linux resources on the web to be either too detailed or too vague or just inaccurate. There were many excellent articles on specific topics, but they were usually part of a general interest publication, and information on related topics on the site was sometimes hard to find. There just wasn’t a site out there for intermediate Linux home users who wanted to get their feet wet in web hosting, nor did there seem to be any similar sites targeting the poor I.T. people who are told to “get Linux working by tomorrow”. After a few months I decided that no one should have to repeat my pain and I added some technical pages to the site. Soon, www.linuxhomenetworking.com was born. This manual assumes you have a few weeks of Linux experience and understand the basics, such as file management and the use of text editors such as “vi”. This approach was taken in order to keep its focus on the intermediate user who requires a compact guide. It’s ironic to know that in the beginning I learned from the web as I just wasn’t prepared to buy too many Linux books, now I’ve created this manual because web users were constantly asking me to write one. If you like this manual, feel free to visit the site and let me know. Without your encouragement it wouldn’t have happened at all. Peter

............................................................................................................................................................................................45 Pros ......................................................39 Using Virtual Terminals ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................55
.............................................44 Cons............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................. 47
What Is TCP/IP? .............................................................................................................................................................................................................................................................................................................40 Switch Off Sendmail Starting Up In Levels 3 and 5 ..........................................50 What Is Localhost? ...................................................................................................................48 What are TCP / UDP Ports?.... 37
The RedHat Boot Sequence .............................................................53 What Is A Gateway?.................................................................................................................40 Chkconfig Examples..................................... 47
Introduction To Networking.....................39 System Shutdown And Rebooting.................................................................................................................................................................................44 Factors To Consider Before Hosting Yourself ...................................................................................................................................................................................................................ii
www.....................40 Turn it back on again .............................................50 What Is A Subnet Mask? ........................................linuxhomenetworking..................................................................................................54 What Is A Default Gateway? ............50 How Many Addresses Do I Get With My Mask? .54 What Is A Route? ...............................................................................49 Private IP Addresses ........................................................40 Use Chkconfig To Get A Listing Of Sendmail's Current Startup Options ............................................................................................................46
Chapter 6 ...................................................................39 How To Set Which Programs Run At Each runlevel ...................................................................52 What Is Duplex? .................................................................................................................................................................................................................................................................49 What Do IP Addresses Look Like?................................................................................................................................................52 What Is A Hub? ................................44 Small Office Based Websites..............................................................................................41 Final Tips On chkconfig......................................................................................................................................52 What Is A Switch?........................48 What is UDP? .......................................................................................................................................................................................51 What’s The Range Of Addresses On My Network? ...................................................................................................................................................................................................................................................................................................................................................................................................................51 Manual Calculation ........................................................................................................38 Get A Basic Text Terminal Without Exiting The GUI ........................................................................41
Chapter 5 .........................48 What is TCP?.......................................................................49 What is ICMP?........................................................................................................................................39 Halt / Shutdown The System........................................................................................................40 Doublecheck That Sendmail Will Not Startup...........................................................................................................................................................................................................................................................................................................38 Get A GUI Console ..54 What Is A NIC?.........44 Pros ...................................................................51 Calculation Using A Script .....................................................................................................................................................................................................................................................................................................................com
The Linux Boot Process ....................................................................................................................................39 Reboot The System ......39 Using A GUI Terminal Window ...............................................................................................................................................................................................................................37 Determining The Default Boot runlevel............................................................................................. 43
Why Host Your Own Site?........................................................................................45 How To Migrate From An External Provider ...48 What is a TTL? ..............................................................................................................................45 Cons..................................................................................................... 43
Network Diagram ......................................................................53 What Is A LAN?.......................43 Alternatives To Home Web Hosting .............................................................................................44 Home Based Websites.............................................53 What Is A Router?............................................

..65 Configuring the Linux Client .........................................................................................................73 Multiple IP Addresses On A Single NIC .......................................................................................55 What Is A Firewall?...............................................................................................................................................63 About syslog .........................................82 Your NIC's /etc/hosts File Format.........................................65 Logging Syslog Messages To A Remote Linux Server ...69
Chapter 8 .........................................................................................................................................................................................................................................................67 The /etc/logrotate.................................................d/apache File (For Apache) .........................................................................68 The /etc/logrotate.............................................................................65 Configuring the Linux Syslog Server....................................................................................................................67 Logrotate ..............................................................................................79 How Configure Two Gateways ...............................................................59 Where is Linux Help? ........................................................................................77 Simple Troubleshooting ..................................82
........................................................................................................................................................................................................................................................................80 How To Convert Your Linux Server Into A Router ...........................................................................................................................................................69 Activating logrotate ........57 How Can I Check The IP Address For A Domain?.....................................................................................68 The /etc/logrotate.............................................................................................................................................................................................................................................................................................................................................................................................80 How To View Your Current Routing Table ..............................................................................................................................................................................................68 The /etc/logrotate..............................................................................................................67 Sample contents of /etc/logrotate...................................................................................................................................57 What Is DNS?............d Directory..............................................................................................81 Configuring Your /etc/hosts File...................................................................................................................................................................................................................................................................................................................................................................................................................................................................d/samba File (for SAMBA) .......................................................................................................................................................conf File ..................65 How To View New Log Entries As They Happen....................................................71 Changing Your IP Address ................................................................................................................................................66 Syslog Configuration and Cisco Network Devices..................................69 The /etc/logrotate........................ 63
Troubleshooting Linux With Syslog.........................................................................................................................67 Syslog and Firewalls.................................................................................................... 71
How To Configure Your NIC's IP Address ........................................................................................ 63
Syslog ....................59 Regular FTP...................................................................59 What is FTP? ...........................................................................conf ..............................................................................................................................................................................................................................................................................................................................................................................................................................................................60 Search For All Instances Of A Word .................79 How To Delete A Route .................................................................................................................................71 Determining Your IP Address..........................73 IP Address Assignment For A Direct DSL Connection...........................56 What Is Port Forwarding With NAT? ...55 What Is ARP? .............................59 Anonymous FTP ................................................................................................................74 Some Important Files Created By adsl-setup ...............................................................59 Static or Dynamic DNS? .................. 71
Linux Networking .................................................................................64 Activating Changes To The syslog Configuration File.....................................................60
Chapter 7 .....................................................................................................................................................................d/syslog File (For General System Logging)...............................................................................................................................................................58 How Do I Get My Own DNS Domain Name? ...........................................................................63 Syslog Facilities............................................................................78 How To Change Your Default Gateway .......................................................................................................72 network-scripts File Formats ..........................................................60 Finding General Information On A Command ................................................................................................................................................56 What Is NAT? .............................................................................................................Table Of Contents
iii
What Is A MAC Address? ........................................56 What Is DHCP? ..........................................................................................................................................................

maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. [root@bigboy root]#
•
Users may wish to change their passwords at a future date.Chapter 1 : Adding Linux Users
17
passwd: all authentication tokens updated successfully. [paul@bigboy paul]$ passwd Changing password for paul Old password: your current password Enter the new password (minimum of 5. The "-r" flag removes all the contents of the user's home directory [root@bigboy tmp]# userdel -r paul
How To Tell The Groups To Which A User Belongs
• Use the "groups" command with the username as the argument [root@bigboy root]# groups paul paul : parents [root@bigboy root]#
. Here is how unprivileged user "paul" would change his own password. [paul@bigboy paul]$
How To Delete Users
• The userdel command is used. New password: your new password Re-enter new password: your new password Password changed.

Spaces are considered part of the command.20
www. you can end it with a "\" and continue on the next line. mary ALL=(ALL) ALL
. It is not recommended that you use any other editor to modify your sudo parameters. If you run out of space on a line. The keyword "ALL" can mean all usernames. • "visudo" is best run as user "root"
The /etc/sudoers File
General Guidelines
o The /etc/sudoers file has the general format: usernames/group o o o o o o o target-servername = command Groups are the same as user groups and are differentiated from regular users by a % at the beginning The "#" at the beginning of a line signifies a comment line You can have multiple usernames per line separated by commas Multiple commands can be separated by commas too.com
• You may run other privileged commands using sudo within a five minute period without being reprompted for a password • All commands run as sudo are logged in the log file /var/log/messages
Download and Install The sudo Package
Fortunately the package is installed by default by RedHat
The visudo Command
• "visudo" is the command used to edit the /etc/sudoers configuration file.linuxhomenetworking. commands and servers. The NOPASSWD keyword provides access without you being prompted for your password
Simple Examples
o Users "paul" and "mary" have full access to all privileged commands paul. "visudo" uses the same commands as the "vi" text editor. groups.

24
www. start your search in the /pub/redhat/linux/ directory and move down the directory tree. See the section about using Automount to easily access your CDROM drive to obtain RPM files. This will make your Linux system act more like Windows.linuxhomenetworking. don’t worry. This makes the files on it immediately accessible whenever you access it without having to use the "mount" command. Always remember to select the RPM that matches your version of Linux http://speakeasy.7-33 [root@bigboy tmp]# • You can then ensure that it runs when the system boots using the chkconfig command. FTP downloading it’ll be explained later. [root@bigboy tmp]# rpm -qa | grep autofs autofs-3.rpmfind.1. ftp.
RPMs Downloaded From Redhat
Advanced searches for all versions of RedHat can be done using this web link: http://www.com/apps/download/advanced_search.com. It is usually simplest to configure your system to Automount your CDROM.html RedHat also has a highly used FTP site. [root@bigboy tmp]# chkconfig --level 345 autofs on [root@bigboy tmp]#
.redhat.com
RPMs On Your Installation CDs
This is usually easier than having to download files from a remote website. If you’re new to FTP. though you run the risk of some of the packages being obsolete due to newer releases on the RedHat website.redhat. You can check this using the following commands. A good general purpose source is RPMfind. • Autofs is the package that supports Automount is installed by default with newer versions of RedHat Linux.
RPMs Downloaded From Speakeasy
RedHat only has their approved software on their site.net/
How to Easily Access CD RPMs With Automount
Using the Linux installation CDs is usually easier.

Chapter 3 : Installing RPM Software

25

• There are two automount configuration files in /etc, one called auto.master and the other called auto.misc. My auto.master looks like this: /misc /etc/auto.misc --timeout 60

The default version of this file normally has this line commented out so you’ll have to remove the "#" at the beginning of the line for the configuration to take effect when autofs is restarted. The first entry is not the mount point. It's where the set of autofs mount points will be. The second entry is a reference to the default map file /etc/auto.misc and the third option says that the mounted filesystems can try to unmount themselves 60 seconds after use. • You can create mount points for each of your removable devices, "floppy", "cdrom" and "zip" with the following commands. [root@bigboy [root@bigboy [root@bigboy [root@bigboy total 3 drwxr-xr-x 2 drwxr-xr-x 2 drwxr-xr-x 2 [root@bigboy tmp]# tmp]# tmp]# tmp]# mkdir /misc/cdrom mkdir /misc/floppy mkdir /misc/zip ll /misc

• Edit your auto.misc file to include the CDROM. It should have an entry like this. cdrom -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom You'll find other entries such as "floppy" and "zip" commented out with a "#". If you need them, just delete the "#". The first column (the "key") is the mount point under directory /misc, so in this case you'll be doing auto mounting when you access /misc/cdrom. • Restart autofs. [root@bigboy /tmp]# /etc/init.d/autofs restart Stopping automount:[ OK ] Starting automount:[ OK ] [root@bigboy /tmp]#

Downloading RPMS To Your Linux Box
For casual searching and installing, I recommend using the http links above. If you are doing industrial strength stuff, then use a real FTP client such as (WSFTP or CuteFTP for GUI) or the command line.

26

www.linuxhomenetworking.com

Getting RPMs Using Web Based FTP
Let’s say you are running RedHat 8.0 and need to download an RPM for the DHCP server.

RedHat
• • • • • • • Use your web browser to go to the RedHat link above Type in dhcp in the search box Click the search button Scroll down for the RPM you need for the DHCP server Click on the appropriate "download" link Click on the FTP link Save the file to Linux box's hard drive

Speakeasy
• • • • • • • Go to the Speakeasy link Type in dhcp in the search box Click the search button Scroll down for the RPM that matches your version of RedHat The right hand column has the links with the actual names of the rpm files Click the link Save the file to Linux box's hard drive

It is best to download RPMs to a directory named "RPM", so you can find them later.

Getting RPMs Using Command Line Anonymous FTP
The Web based method above transparently uses anonymous File Transfer Protocol (FTP). Anonymous FTP allows you to log in and download files from a FTP server using the username “anonymous” and a password that matches your email address. This way anyone can access the data. • Let's try to FTP the SSH package from ftp.redhat.com [root@bigboy tmp]# ftp ftp.redhat.com Trying 66.77.185.38... Connected to ftp.redhat.com (66.77.185.38).

Description Get a file from the FTP server Change the directory on the local machine Same as dir Same as get, but you can use wildcards like "*" Same as put, but you can use wildcards like "*" Make the file transfer passive mode Put a file from the local machine onto the FTP server Give the directory name on the local machine

How To Install The RPMs
Using Downloaded Files
• • Download the source RPMs which usually have a file extension ending with (.rpm) into a temporary directory such as /tmp As user root, issue the following command: [root@bigboy tmp]# rpm -Uvh filename.rpm

How to Install Source RPMs
Sometimes the packages you want to install need to be compiled in order to match your kernel version. This requires you to use source RPM files. • Download the source RPMs or locate them on your CD collection. They usually have a file extension ending with (.src.rpm)

Here we see that the regular RPM file, not the source RPM, has been installed correctly. [root@bigboy rpm]# rpm -qa | grep tac_plus tac_plus-4.0.3-2 [root@bigboy rpm]#

27-9 libstdc++-3.14-15 smpeg-gtv-0. You then have to install the new RPM file from this directory.0. In this example we are looking for all packages containing the string “ssh” in the name.4p1-2 openssh-clients-3. regardless of case (“-i” meaning ignore case) [root@bigboy tmp]# rpm -qa | grep -i ssh openssh-server-3. You then have to run the rpm command again to compile the source files into a regular RPM file which will be placed in either the /usr/src/packages/RPMS/i386/ or the /usr/src/redhat/RPMS/i386/ directories. o o The source files are first exported into the directory /usr/src/redhat/SPECS with the rpm command.rpm SPECS]# cd /usr/src/redhat/SPECS SPECS]# rpm –ba filename tmp]# cd /usr/src/redhat/RPM/i386 i386]# rpm -Uvh filename.2.rpm
o
How To List Installed RPMs
• The rpm –qa command will list all the packages installed on your system [root@bigboy tmp]# rpm –qa perl-Storable-1.Chapter 3 : Installing RPM Software
31
Older Linux Versions
The process is more complicated with older RedHat Linux versions as can be seen below.4p1-2 openssh-askpass-3.4-9 e2fsprogs-1.src.2-7 audiofile-0.4.4p1-2 openssh-3.4p1-2 [root@bigboy tmp]#
.4p1-2 openssh-askpass-gnome-3.3-3 … … … [root@bigboy tmp]# • You can also pipe the output of this command through the grep command if you are interested in only a specific package. [root@bigboy [root@bigboy [root@bigboy [root@bigboy [root@bigboy tmp]# rpm -Uvh filename.

debug No 1. It will prompt you to change the initial settings. To install the key. isatty Yes 2. Inc. Just quit by typing “q” and up2date will give you the command to run to get the encryption keys from RedHat. [root@bigboy tmp]# rpm –e package-name
RedHat Up2date
RedHat has a program called up2date which will update your Linux installation with the latest revisions of the RPMs from the RedHat website via a HTTPS/SSL connection running in the background. you will be unable to verify that packages Update Agent downloads are securely signed by Red Hat. depslist [] … … … Enter number of item to edit <return to exit.com
How Uninstall RPMs
• The rpm –e command will erase an installed package. run the following as root: rpm --import /usr/share/rhn/RPM-GPG-KEY [root@bigboy tmp]#
• Issue the rpm command to get the keys [root@bigboy tmp]# rpm --import /usr/share/rhn/RPM-GPG-KEY [root@bigboy tmp]#
. [root@bigboy tmp]# up2date 0. The package name given must match that listed in the rpm –qa command as the version of the package is important. Here’s what to do: • After installing the operating system issue the up2date command. Without it.linuxhomenetworking. public key.32
www. q to quit without saving>: Your GPG keyring does not contain the Red Hat. Your Update Agent options specify that you want to use GPG.

This is what it looks like: [root@bigboy tmp]# up2date -u Fetching package list for channel: redhat-linux-i386-8...r ########################## Done. ####################################### Testing package set / solving RPM inter-dependencies..4.18 24.0.1..Chapter 3 : Installing RPM Software
33
• Issue the up2date command again and it will prompt you through a number of registration screens which will ask for information such as: o o o The login name & password of your choice Your. ######################################## cups-libs-1.. • Now you have to actually update the software using up2date. address and email address A profile name for your server
• It will then present you with a list of all the packages installed on your server and ask you whether you want to register this software information with RedHat • The up2date updater will then register your system and exit back to the command prompt... name. This is done with the up2date –u command.2..17-0. ######################################## Fetching rpm headers.0Pkg name/pattern [root@bigboy tmp]#
. 1:cups-libs 2:cvs 3:cyrus-sasl … … …
########################################### [100%] ########################################### [100%] ########################################### [100%]
The following Packages were marked to be skipped by your configuration: Name Version Rel Reason --------------------------------------------------------------------kernel 2. ######################################## Fetching Obsoletes list for channel: redhat-linux-i386-8.8.i386...0. … … … Preparing ########################################### [100%] Installing.

If you have a firewall protecting your system.com/network RedHat will regularly send you emails with the packages you need to update.34
www. you will need TCP port 443 access to the internet Updating packages could cause programs written by you to stop functioning especially if they rely on the older version’s features or syntax. You can selectively update the package mentioned in each email using the command: [root@bigboy tmp]# up2date package-name o o o o Only one profile per login name is free. up2date uses HTTPS/SSL to do its updating. up2date automatically figures out these package inter-dependencies and will install all the required foundation packages as well.linuxhomenetworking.com
Some Necessary Facts About up2date
o o You can update your contact information afterwards using the link http://www.redhat. Here is a sample script that you can run weekly using cron #!/bin/sh # # Updates system every week # up2date -p up2date -u
o
. Some RPMs won’t install unless other RPMs have been installed previously. All additional profiles under the login name have an annual fee. The “–u” switch will update all packages and the “-p” will register any additional packages you have installed without using up2date. You can write a small script to periodically update your system.

halt (Do NOT set initdefault to this) # 1 .d/rc4.d
Run Level Description Halt Single-user mode Not used (user-definable) Full multi-user mode (No GUI interface) Not used (user-definable) Full multi-user mode (With GUI interface) Reboot
Determining The Default Boot runlevel
The default boot runlevel is set in the file /etc/inittab with the "initdefault" variable. if you do not have networking) # 3 .d/rc1. The runlevels used by RHS are: # 0 . See the section below on how to get a GUI login all the time until the next reboot.d /etc/rc.X11 # 6 .38
www.unused # 5 .d /etc/rc.d/rc2.d /etc/rc.d/rc0.d/rc3.com
Mode/Run Level 0 1 2 3 4 5 6
Directory /etc/rc.Multiuser.d /etc/rc. Remember that when you log out you will get the regular text based console again. When set it to “3”.Full multiuser mode # 4 .d /etc/rc.linuxhomenetworking.reboot (Do NOT set initdefault to this) # id:3:initdefault: # Console Text Mode id:5:initdefault: # Console GUI Mode • Most home users boot up with a Windows like GUI (Run Level 5) • Most techies will tend to boot up with a plain text based command line type interface (Run level 3) • Changing "initdefault" from 3 to 5 or vice-versa will only have an effect upon your next reboot.d /etc/rc. when set to “5”.d/rc5. you get the GUI.
. Here is a sample snippet of the file: (Delete the initdefault line you don't need) # Default runlevel.
Get A GUI Console
You have two main options if your system comes up in a text terminal mode on the VGA console and you want to get the GUI: • Manual Method: You can start the X terminal GUI application each time you need it by running the “startx” command at the VGA console. the system boots up with the text interface on the VGA console.d/rc6. without NFS (The same as 3.Single user mode # 2 .

Halt / Shutdown The System
[root@bigboy tmp]# init 0
Reboot The System
[root@bigboy tmp]# init 6
. You will need to edit your “initdefault” variable in your /etc/inittab file as mentioned in the preceding section to keep this functionality even after you reboot.Chapter 4 : The Linux Boot Process
[root@bigboy tmp]# startx
• Automatic Method: You can have Linux automatically start the X terminal GUI console for every login attempt until your next reboot by using the init command. it will run under session number seven. then Terminal
Using Virtual Terminals
Linux actually has seven virtual console sessions running on the VGA console. or if the GUI is running after launching "startx"
System Shutdown And Rebooting
The "init" command will allow you to change the current runlevel. If the GUI is running. only in run level 5. [root@bigboy tmp]# init 5
Get A Basic Text Terminal Without Exiting The GUI
Using A GUI Terminal Window
You can open a GUI based window with a command prompt inside by doing the following: o o Click on the “Red Hat” Start button in the bottom left hand corner of the screen. You'll get a new login prompt for each attempt. o o o Sessions one through six are text sessions. You can get the GUI login with the sequence <CTL> <ALT> <F7>. You can step through each text session by using the <CTL> <ALT> <F1> through <F6> key sequence. Click on Systems Tools.

The commands for starting and stopping the programs covered in this book are covered in each respective chapter.
.d directory.Chapter 4 : The Linux Boot Process
Turn it back on again
[root@bigboy tmp]# chkconfig --level 35 mail on [root@bigboy tmp]# chkconfig --list | grep mail sendmail 0:off 1:off 2:off 3:on 4:off 5:on 6:off [root@bigboy tmp]#
Final Tips On chkconfig
• • • In most cases you'll want to modify runlevels 3 and 5 simultaneously AND with the same values. Don't add/remove anything to other runlevels unless you absolutely know what you are doing. it just configures them to be started or ignored when the system boots up. Don't experiment. Chkconfig doesn’t start the programs in the /etc/init.

If your home already has DSL there would be no additional network connectivity costs. New Skills: There is also the additional benefit of learning the new skills required to set up the site. It takes about 3-4 days for DNS to propagate across the Web. The virtual hosting provider will also offer free backups of your site. www.
Factors To Consider Before Hosting Yourself
Virtual hosting is the ideal solution for many small websites. There are a number of reasons why you may want to move your website to your home or small office. The steps are fairly straight forward: • Sign up for the virtual hosting service. with companies like Register. technical support. many will also provide an e-commerce feature which will allow you to have a shopping cart and customer loyalty programs.my-site. You must make sure your new domain name’s DNS records point to the DNS server of the virtual hosting company.
o o
Cons
o Lost Services: You lose the convenience of many of the services such as backups. security audits. so you’ll probably have to wait at least that long before you’ll be able to view your site using your domain. You should be able to buy this equipment second hand for about $100. such as www. a number of email addresses and an easy to use web based GUI to manage your settings. • Upload your web pages to your private virtual hosting directory.44
www. load balancing. • Test viewing your site using your IP address in your web browser. Verisign or RegisterFree.
Home Based Websites
Pros
o Cost: It is possible to host a website on most DSL connections. redundant hardware. They will provide you with a login name and password.com. data base services and technical support offered by the virtual hosting company.com.com. For the home based website these are usually not big issues. Changes can be made with little delay. A website can be hosted on this data circuit for the only additional hardware cost of a network switch and a web server.com. For an additional charge. the IP address of your site plus the name of a private directory on a shared web server in which you’ll place your web pages.my-site.com
Alternatives To Home Web Hosting
It is easy to find virtual hosting companies on the Web which will offer to host a simple website for about $10 per month. So for a savings of $10 per month the project should pay for itself in less than a year.linuxhomenetworking.
. DNS. Availability: Reliable virtual hosting facilities may not be available in your country and/or you may not have access to the foreign currency to host your site abroad. • Register your domain name.

Cost: The cost of using an external web hosting provider will increase as you purchase more systems administration services. The chapter on the Linux iptables firewall should help make the decision easier. Proceed with the server migration only if you feel your staff can handle the job. which may have been highly desirable and cost effective. These services may be more difficult to implement at home. Training The percentage of IT staff’s time installing and maintaining the site Potential cost of the risks (% likelihood of failure per month X cost of failure) • • Risks Likelihood of a failure and expected duration The cost of both the failure and post failure recovery (Hardware. time)
Cons
o o Lost Services: You won’t have access to the services provided by your old service provider.
o
Small Office Based Websites
Pros
o o o Increased Control: You will be able to manage all aspects of your website if it is hosted on a server based either in-house or within your control at a remote data center. You will eventually be able to justify hosting your website inhouse based on this financial fact. Security: Always weigh the degree of security maintained by your hosting provider with that which you expect to provide in-house. Technical Ability: Your service provider may have more expertise in setting up your site than you do. • • • • • Costs New hardware & software Possible new application development.
o
. Hosting providers may provide software patches to fix security vulnerabilities on your web servers and may even provide a firewall to protect it. There is a chapter on the iptables Linux firewall and general security policies for Linux servers to help you overcome these shortcomings. Technical Ability: You may have to incur additional training costs to ensure that your IT staff has the necessary knowledge to do the job internally. data restoration. In order to determine the break even point of the proposal.Chapter 5 : Why Host Your Own Site?
45
o
Security: One important factor to consider is the security of your new server. software. Availability: Reliable virtual hosting facilities may not be available in your country and you may not have access to the foreign currency to host your site abroad. you will have to consider the following:
In-house Web Hosting Savings • • Monthly out sourced web hosting fee Elimination of the cost of delays to implement desired services.

com
How To Migrate From An External Provider
The chapter on DNS has a detailed explanation of the steps involved in migrating your website from an external hosting provider to your home or small office. You should also read the sections on mail and web server configuration to help provide a more rounded understanding of the steps involved.46
www.
.linuxhomenetworking.

What is UDP?
UDP is a connectionless protocol.
What are TCP / UDP Ports?
So the data portion of the IP packet contains a TCP or UDP datagram sandwiched inside. Data is sent on a “best effort” basis with the machine that sends the data having no means of verifying whether the data was correctly received by the remote machine. For example. port 80. Ports below 1024 are reserved for privileged system functions. TCP keeps track of the packets sent by giving each one a sequence number with the remote server sending back “acknowledgement” packets confirming correct delivery. The source/destination port combination defines the program on the computer that sent/received the data. This informs the computer receiving the data about the type of transportation mechanism being used. Usually when a connection is made from a client computer requesting data to the server machine that contains the data:
.com
What Is TCP/IP?
TCP/IP is a universal standard suite of protocols used to provide connectivity between networked devices. is reserved for HTTP web traffic and port 25 is reserved for SMTP email. Only the TCP datagram header contains sequence information. but both the UDP and the TCP datagram headers track the “port” being used. It is part of the larger OSI model upon which most data communications is based.48
www. The two most popular transportation mechanisms used on the Internet are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It then passes the data to the program that expects to receive it. How does the computer know what program needs the data? Each IP packet also contains a piece of information in its header called the “type” field. the data is usually split into multiple pieces or “packets” each with its own error detection bytes in the control section or “header” of the packet. It is also used when data needs to be broadcast to all available servers on a locally attached network where the creation of dozens of TCP connections for a short burst of data is considered resource hungry.linuxhomenetworking. UDP is usually used for applications in which the data sent is not mission critical. those above 1024 are generally reserved for non system third party applications. Certain programs are assigned specific that are internationally recognized. The remote computer then receives the packets and reassembles the data and checks for errors.
What is TCP?
TCP opens up a connection between client and server programs running on separate computers so that multiple and/or sporadic streams of data can be sent over an indefinite period of time. For manageability. You could look at it as a combination used to create a connection ID number. One component of TCP/IP is the Internet Protocol (IP) which is responsible for ensuring that data is transferred between two addresses without being corrupted. TCP is a good example of a “connection oriented” protocol. Programs that use TCP therefore have a means of detecting connection failures and requesting the retransmission of missing packets.

If the TTL value reaches “0”. TTLs help to reduce the clogging of data circuits with unnecessary traffic. but a response to the initial port 80 HTTP query.25.Chapter 6 : Introduction To Networking
49
o
the client selects a random unused "source" port greater than 1024 and queries the server on the "destination" port specific to the application. a bad connection. IP addresses have 32 bits in total. The server will usually detected this by examining the packet and correlating the contents to what it finds in the IP header’s error control section. • For ease of use. Just like a telephone number. ICMP also includes echo and echo reply messages used by the Linux “ping” command to confirm network connectivity.
What is a TTL?
Each IP packet has a Time to Live (TTL) section that keeps track of the number of network devices the packet has passed through to reach its destination.65. the client will use a source port of say. it tells the TCP application to respond back to port 1095 of the client using a source port of port 80. IP packets will occasionally arrive at a server with corrupted data due to any number of reasons including. It is not strictly a TCP/IP protocol. For example. ICMP provides a suite of error.12. four numbers with dots in between. electrical interference or even misconfiguration. then the network device will discard the packet. 1095 and query the server on port 80 (HTTP) The server recognizes the port 80 request as an HTTP request and passes on the data to be handled by the web server software. More information on ICMP messages can be found in both the Appendix and the chapter on network troubleshooting. An example of an IP address would be 97.
o
The client keeps track of all its requests to the server's IP address and will recognize that the reply on port 1095 isn't a request initiation for "Nicelink" (See the Bibliography for a link to a TCP/IP port listing). it helps to uniquely identify a user of the system. control. but TCP/IP based applications use it frequently.
What Do IP Addresses Look Like?
• All devices connected to the Internet have an Internet Protocol (IP) address. Each bit is either a 1 or a 0. None of the numbers between the dots may be greater than 255. These are:
.
What is ICMP?
There is another commonly used protocol called the Internet Control Message Protocol (ICMP). This mechanism helps to ensure that bad routing on the Internet won’t cause packets to aimlessly loop around the network. If it is an HTTP request. • IP addresses are in reality a string of binary digits or "bits". The server sending the packet sets the TTL value and each network device that the packet passes through then reduces this value by “1”. It will then issue an ICMP reject message to the original sending machine that the data should be resent. When the web server software replies to the client. • The numbers between the dots are frequently referred to as "octets" • Some groups of IP addresses are reserved for use only in private networks and are not routed over the Internet. and informational messages for use by the operating system. IP addresses are written in what is called a "dotted decimal" format.

255.0 .255.253.158.255.24. The (808) represents the area code.158. You can then use IP addresses from #1 to #254 on your "private" network.255.255. • If you purchased a DSL service from your Internet service provider (ISP) that gives you fixed IP addresses.158.0. the 225-2468 represents the telephone within that area code.28 .168.
What Is Localhost?
Whether or not your computer has a network interface card it will have a “built in” IP address with which network aware applications can communicate with one another.255 192.158.253. and host #255 (192. • In this example.158.253.1 and is frequently referred to as “localhost”
What Is A Subnet Mask?
• Subnet masks are used to tell which part of the IP address represents: • The network on which the computer is connected (Network portion) • The computer's unique identifier on that network (Host portion) • A simple analogy would be a phone number.Available 97.0. a subnet mask of 255.255. • Subnet masks allow you to specify how long you want the area code to be (network portion) at the expense of the number of telephones in that are in the area code (Host portion) • Most home networks use a subnet mask of 255.158.Available 97.1.10.255. So if your server has an IP address of 192.253.192.255.0) is reserved to represent the network itself.31.Available
.253.0.168.255) is reserved for broadcast traffic intended to reach all hosts on the network at the same time. then they will most likely provide you with a subnet mask of 255.255 • Home networking equipment / devices usually are configured in the factory with an IP address in the range 192.25 .0. For example if the ISP provides you with a "public" network address of 97.1.168.1.16.1. • You can check the Linux networking topics page on how to configure the IP address of your Linux box.168.0.0. then your IP addresses will be: • • • • • 97.253.0.248 that defines 8 IP addresses.0.Gateway 97. Each "255" means this octet is for the area code (network portion).158.253.24 – Network base address 97.25 and a subnet mask of 255. This IP address is defined as 127.255.172.255.255 172.255.168.168.168. host #0 (192.255. such as (808) 225-2468.1 to 192.24.50
www.0 .com
Private IP Addresses
10. then the network portion would be 192.26 .linuxhomenetworking.255.1.168.27 .0 .1 and the server or host would be device #25 on that network.248 and a gateway of 97.

3.255. Think of it as "This is the third subnet with 8 addresses in it". The broadcast address is 97.255.56 with a mask of 255.255. (24 + 8 -1 = 31).168.24 The broadcast address is the result of step 3 plus the result of step 1 minus 1.31
o
o
Let's do this for 192. 248.Available 97.3.192 then you have 64 IP addresses in your subnet (256 . Think of it as "The broadcast address is always the network address plus the number of IP addresses in the subnet minus 1". The Network address is therefore 97.248.240 = 16
.3. 2.255.224 = 32 56 / 32 = 1 32 x 1 = 32.253.3.255. 128.63
Let's do this for 10.158. how do you determine the network address and the broadcast address.255” which should be sufficient for your home network.158.158. 224.0. 252 • You can calculate the number of IP addresses for each of the above values by subtracting the value from 256 • So for example.29 .Chapter 6 : Introduction To Networking
51
• • •
97.255. Multiply this result by the result of step 1 to get the network address (8 x 3 = 24). in other words the boundaries of my network? Here are the steps:
Manual Calculation
o o Subtract the last octet of the subnet mask from 256 to give the number of IP addresses in the subnet. 256 .168.28 and a subnet mask of 255.240 1.255.168.253.192)
What’s The Range Of Addresses On My Network?
If someone gives you an IP address of 97. 4.30 .Available 97.32 32 + 32 . (256 .248) = 8 Divide the last octet of the IP address by the result of step 1.0.Broadcast
How Many Addresses Do I Get With My Mask?
The method described in this section only works for subnet masks that start with “255.1 = 63. Therefore the network base address is 192.253.158.158.255.31 .224 1.158. don't bother with the remainder (28/8 = 3). if you have a subnet mask of 255.253.253.75 with a mask of 255. These are 0. 192.255. Therefore the broadcast address is 192.253. This will give you the theoretical number of subnets of the same size that are below this IP address. • There are only 7 possible values for the last octet of a subnet mask. 240. 256 .

95 Subnet Mask Subnet Size [root@bigboy tmp]# : 255.
. It will accept subnet masks in dotted decimal format or "/value" format [root@bigboy tmp]# .151. Therefore the broadcast address is 10.0.151.193. the last octet of your network base address must be divisible by the “256 minus the last octet of your subnet mask” and leave no remainder.193.255.151.92 Network Base Address : 216. • Most modern network cards can auto-negotiate duplex with the device on the other end of the wire. 3.0.79
Note: As a rule of thumb. and another device at the other end of the cable set to half duplex. this only works with subnet masks that start with 255. If you are sub-netting a large chunk of IP addresses it’s always a good idea to lay it out on a spreadsheet to make sure there are no overlapping subnets.255.sh 216. Therefore the network base address is 10. • Data transfer speeds will be low and error levels will be high if you have a device at one end of a cable set to full duplex.0.92 /28 IP Address : 216.
75 / 16 = 4 16 x 4 = 64. Hubs physically cross-connect all their ports with one another which causes all traffic sent from a server to the hub to be blurted out to all other servers connected to that hub whether they are the intended recipient or not.193.64 64 + 16 -1 = 79. Devices that want to transmit information have to wait their turn until the "coast is clear" at which point they send the data.
Calculation Using A Script
There is a BASH script in the Appendix which will do this for you. • Full duplex uses separate pairs of wires for transmitting and receiving data so that incoming data flows don't interfere with outgoing data flows. just provide the IP address followed by the subnet mask as arguments. Here is a sample of how to use it.151.255.52
www.com
2. Error detection and retransmission mechanisms ensure that data reaches the destination correctly even if it were originally garbled by multiple devices starting to transmit at the same time. Once again.193.255.0.
What Is A Hub?
• A hub is a device into which you can connect all devices on a home network so that they can talk together. • Half duplex uses the same pairs of wires for transmitting and receiving data.linuxhomenetworking. It is for this reason that duplex settings aren’t usually a problem for Linux servers.80 Broadcast Address : 216./subnet-calc. 4.240 : 16 IP Addresses
What Is Duplex?
• Duplex refers to the ability of a device to transmit and receive data at the same time.

What Is A Router?
• As stated before. • Communication to devices on another LAN requires a router directly connected to both LANs. • It is for these reasons that devices that plug into hubs should be set to half duplex.Chapter 6 : Introduction To Networking
53
• Hubs have none or very little electronics inside and therefore do not regulate traffic. switches and hubs usually only have servers connected to them that have been configured as being part of the same network. The router is also capable of filtering traffic passing between the two LANs therefore providing additional security. Simple home switches can be connected in a chain formation to create a LAN with more ports. • Routers can also be configured to deny communication between specific servers on different networks.
What Is A LAN?
• A Local Area Network (LAN) is a grouping of ports on a hub. • Routers will connect into multiple switches to allow these networks to communicate with one another. Routers therefore direct and regulate traffic between separate networks. switch or tied to a wireless access point (WAP) that can only communicate with each other. When this happens the servers try again. A good rule of thumb is to have only one network per LAN. Switches therefore provide more efficient traffic flow. This is why network administrators group trusted servers having similar roles on the same LAN. They will also ensure that they don’t mix servers on different IP networks on the same LAN segment. A router is still needs to be connected to each VLAN for inter-network communication. until the message gets through correctly. • It is possible to have LANs that span multiple switches. Unlike a hub. This is often called “daisy chaining”. • Devices that plug into switches should be set to full duplex to take full advantage of the dedicated bandwidth coming from each switch port. • Switches regulate traffic. the switch houses ports on multiple LANs. thereby eliminating the possibility of message garbling. For example.
What Is A Switch?
• A switch is also a device into which you can connect all devices on a home network so that they can talk together. much like a traffic policeman. more expensive switches can be configured to assign only certain ports to pre-specified Virtual LANs or (VLANs) chosen by the network administrator. It is possible for multiple servers to speak at once with all of them receiving garbled messages. The only exception is broadcast traffic which is blurted out to all the servers simultaneously. after a random time interval. traffic sent from Server A to Server B will only be received by Server B. • Pure switches provide no access control between servers connected to the same LAN. They can also filter traffic based on the TCP port section of each packet. it is possible to deny communication between two servers on different networks that intend to communicate on TCP port 80. In this case. • Larger.
. and allow all other traffic between them.

What Is A Route?
• In the broader networking sense.
What Is A Default Gateway?
• A default gateway is really a gateway of last resort.X Go to network 10.123.com
• If you intend to route between networks. • The Linux network topics page shows how to add static routes to your Linux box and also how you can convert it into a simple router.0 255. • In home networks.1. Home Linux boxes frequently don't run a dynamic routing protocol and therefore rely on "static" routes issued by the system administrator at the command line or in configuration files to determine the next hop to all desired networks.0) and the internet R2 is connected to both your SOHO home network (192. • Routers are designed to exchange routing information dynamically. your default gateway would be the router / firewall connected to the Internet. • You can check the Linux networking topics page on how to configure the default gateway on your Linux box.linuxhomenetworking. R1 therefore would be considered your default gateway
• You could put a route on your SOHO servers that states: o o
• For most home networks.X.168.
What Is A Gateway?
• Another name for a router.0. • Usually when we speak about a route on a Linux box. a route refers to the path data takes to traverse from its source to its destination.1.168.46.0.54
www.0) which is also connected to other corporate networks with addresses starting with 10.
. we are referring to the IP address of the first hop needed to reach the desired destination network. and can therefore intelligently redirect traffic to bypass failed network links.0 via router R2 Go to everything else via router R1. It is assumed that this first hop will know how to automatically relay the packet.0.0) and your credit card transaction payment the network (10. then for each network. you must reserve an IP address for a router and make sure that the router is directly connected to the LAN associated with that network. Say for example: o o o You have two routers R1 and R2 R1 is connected to both your SOHO home network (192.0. routers most frequently provide connectivity to the Internet using network address translation or NAT.X. Each router along the way may also be referred to as a hop.

The ARP table is queried. the server checks it's ARP table to see whether it has the MAC address of the router's NIC.
What Is A MAC Address?
The media access control address (MAC) can be equated to the serial number of the NIC. • If the target server is on the same network as the source server. the packet is sent and the ARP table is subsequently updated with the new MAC address.1. a similar process occurs. If there is no ARP entry. If no entry is available. As each router in the path receives the packet. the server will issue an ARP request asking that router 192. Every IP packet is sent out of your NIC wrapped inside an Ethernet frame which uses MAC addresses to direct traffic on your locally attached network.1 respond with its MAC address so that the delivery can be made. an ARP request is made asking the target server for its MAC address. As the packet hops across the Internet. If it doesn't. Once a reply is received. it will in turn continue with the ARP-ing process to relay the packet to the final destination. the most common types of NIC used in the home are Ethernet and wireless Ethernet cards. the ARP table only contains the MAC addresses of devices on the locally connected network. the server sends the IP packet to its NIC and tells the NIC to encapsulate the packet in a frame destined for the MAC address of the router. the packet is sent and the ARP table is subsequently updated with the new MAC address. • As can be expected. Currently.
.1.Chapter 6 : Introduction To Networking
55
What Is A NIC?
Your network interface card is frequently called a NIC.1. If there is an ARP entry. When a server needs to communicate with another server it does the following steps: • The server first checks its routing table to see which router provides the next hop to the destination network. let's say with an IP address of 192. • If there is a valid router. Once a reply is received. ARP entries are not permanent and will be erased after a fixed period of time depending on the operating system used. but the MAC addresses are reassigned by each router on the way using a process called ARP. • The Linux network topics page shows how to see your ARP table and the MAC addresses of your server's NICs.168. MAC addresses therefore only have significance on the locally attached network. its source/destination IP address stays the same.
What Is ARP?
The Address Resolution Protocol (ARP) is used to map MAC addresses to network IP addresses. • The server will not send the data to its intended destination unless it has an entry in its ARP table.168. the application needing to communicate will issue a timeout or "time exceeded" error.

Connections initiated from the Internet to the “public” IP address of the router / firewall face a problem. This greatly increases the number of devices that can access the Internet without running out of "public" IP addresses. A short list of capabilities includes: • Throttling traffic to a server when two many unfulfilled connections are made to it • Restricting traffic being sent to obviously bogus IP addresses • Providing network address translation or NAT
What Is NAT?
Your router / firewall will frequently be configured to make it appear to other devices on the Internet that the servers on your Home network have a valid “public” IP address. • Hundreds of PCs and servers behind a NAT device can masquerade as a single "public" IP address. not just by port and IP address like routers. As there normally has been no prior connection association
. As a general rule. This arrangement works well with a single NAT IP trying to initiate connections to many Internet addresses. You can configure NAT to be “one to one” in which you assign multiple IP addresses to the outside “public” interface of your firewall and pair each of these addresses to a corresponding server on the inside network. and not a “private” IP address. Basic NAT testing will require you to ask a friend to try to connect to your home network from the Internet. There are many good reasons for this. As the router / firewall is located at the “border crossing” to the Internet it can easily keep track of all the various outbound connections to the Internet by monitoring: • The IP addresses and TCP ports used by each home based server and mapping it to • The TCP ports and IP addresses of the Internet servers with which they want to communicate. This is called network address translation (NAT) and is often also called IP masquerading in the Linux world. all servers accessing the Internet will appear to have the single “public” IP address of the router / firewall because of “many to one” NAT. you won’t be able to access the public NAT IP addresses from servers on your home network. This prevents hackers from directly attacking your home systems as packets sent to the “private” IP will never pass over the Internet. NAT protects your home PCs by assigning them IP addresses from “private” IP address space that cannot be routed over the internet.
What Is Port Forwarding With NAT?
In our simple home network.linuxhomenetworking. The reverse isn’t true. firewalls can detect malicious attempts to subvert the TCP/IP protocol. Examples of NAT may be found in the IP masquerade section of the Linux iptables firewall chapter and also in the Cisco PIX firewall chapter.56
www.com
What Is A Firewall?
Firewalls can be viewed as routers with more enhanced abilities to restrict traffic. You can also use “many to one” NAT in which the firewall maps a single IP address to multiple servers on the network. Specifically. the two most commonly stated are: • No one on the Internet knows your true IP address.

The most commonly used form of DSL will also assign the outside interface of your router / firewall with a single DHCP provided IP address.com" name server will then respond with the IP address for www. "The Dynamic Host Configuration Protocol (DHCP) is an Internet protocol for automating the configuration of computers that use TCP/IP.com" name server.com" DNS name servers which will then redirect the query to the "linuxhomenetworking. You can also check the chapter on Configuring a DHCP Server. • The "linuxhomenetworking. this process can cause a noticeable delay when you are browsing the web. to make your Linux box provide the DHCP addresses for the other machines on your network. • Your ISP's DNS server will then probably redirect your query to one of the 13 "root" name servers. • The root server will then redirect your query to one of the Internet's ". the router / firewall has no way of telling which of the many home PCs behind it should receive the relayed data. • Home router / firewall providing DHCP services often provides its own IP address as the DNS name server address for home computers.org. The DHCP client sends out a query requesting a DHCP server which in turn provides the client PC with its IP address.linuxhomenetworking. Here step by step description of what happens with a DNS lookup. DNS server and default gateway information. • The router / firewall will then redirect the DNS queries from your computer to the DNS name server of your Internet service provider (ISP). Port forwarding is a method of counteracting this. subnet mask.dhcp. port forwarding is one of the most common methods used to host websites at home with DHCP DSL.com As you can imagine. You can check the chapter on Linux networking topics page on how to configure your Linux box to get its IP address via DHCP. or regains connectivity to the network. (and) to deliver TCP/IP stack configuration parameters such as the subnet mask and default router”. Most home router / firewalls are configured in the factory to be DHCP servers for your home network.
. You can make your Linux box into a caching DNS server for your home network too. You can also make your Linux box into a DHCP server. The assignment usually occurs when the DHCP configured machine boots up. once it has a fixed IP address.com into an IP address that can be used behind the scenes by your computer. For example.
What Is DNS?
The domain name system (DNS) is a worldwide server network used to help translate easy to remember domain names like www. • Most home computers will get the IP address of their DNS server via DHCP from their router / firewall.linuxhomenetworking. Each server in the chain will store the most frequent DNS name to IP address lookups in a memory cache which helps to speed up the response.
What Is DHCP?
According to www. DHCP can be used to automatically assign IP addresses.Chapter 6 : Introduction To Networking
57
between the Internet server and any protected server on the home network. you can configure your router / firewall to forward TCP port 80 (Web/HTTP) traffic destined to the outside NAT IP to be automatically relayed to a specific server on the inside home network As you may have guessed.

elan.0. Run nslookup with the `-sil[ent]' option to prevent this message from appearing.0.1#53 Non-authoritative answer: 92.151.193.1#53 Name: www.1 Address: 127.elan.193.linuxhomenetworking.193.151.com Address: 216.in-addr.193.linuxhomenetworking.arpa domain name pointer extra193-92.193.in-addr.0.net.0.arpa nameserver = dns2.58
www.216. Server: 127. [root@bigboy tmp]#
.192.1 Address: 127.linuxhomenetworking.com has address 216. 193. but can still be used with Windows .0.net internet address = 216.92 [root@bigboy tmp]# You can also use the nslookup and host commands to get the reverse information. then you can use either the nslookup command or host command to get the associated IP address.216.92 [root@bigboy tmp]# host www.in-addr.arpa
name = extra193-92.com
How Can I Check The IP Address For A Domain?
If you have the domain.in-addr. [root@bigboy tmp]# nslookup 216.elan. nslookup will be removed from future releases of Linux.151.151.151. Run nslookup with the `-sil[ent]' option to prevent this message from appearing.com Note: nslookup is deprecated and may be removed from future releases.net. Server: 127.linuxhomenetworking.0.151.151. Consider using the `dig' or `host' programs instead. [root@bigboy tmp]# nslookup www.elan.elan.216.0.
Authoritative answers can be found from: 193.linuxhomenetworking.net. dns1. Consider using the `dig' or `host' programs instead.92 Note: nslookup is deprecated and may be removed from future releases.arpa nameserver = dns1.151.com www.1 [root@bigboy tmp]# [root@bigboy tmp]# host 216.net.0.151.216.193.92 92.

This helps DNS root servers know exactly where to get the information for the IP address for your new website.
Static or Dynamic DNS?
o If you didn't specifically reserve static IP addresses from your ISP. such as WSFTP and CuteFTP.
o
What is FTP?
This is one of the most popular applications used to copy files between computers via a network connection. then static DNS is the way to go. The password will be your regular password for your user account. You can use them to determine whether the name you want is available and you can purchase the domain you want using a credit card with your web browser. You also FTP from the command line as shown in the RPM chapter. In this case you'll want to use a dynamic DNS service. If you bought static IP addresses. there are two types of FTP. at which point the user will be the username you normally use to log into the FTP server. The remote FTP server will prompt you for a username.
Anonymous FTP
o o This is used primarily to allow any remote user to download files to their systems. after you follow the steps below. From the remote user's perspective. then your router is probably getting its "public" Internet IP address via DHCP from your ISP. don't worry you can do this later. at which point the user will type "anonymous". there are another two categories. • The registration process will prompt you for your two primary DNS servers. • If you don't have the names and/or IP addresses for you primary name servers. RegisterFree is the one I use.
Regular FTP
o o This is used primarily to allow specific users to download files to their systems. The remote FTP server will prompt you for a username. The password is usually your valid email address. There are a number of commercially available GUI based clients you can load on your PC to do this.
. These are active and passive FTP which is covered in more detail in the FTP Chapter.Chapter 6 : Introduction To Networking
59
How Do I Get My Own DNS Domain Name?
• There are many companies that provide DNS name registration.
From the systems administrator's perspective.

Here are some examples:
Finding General Information On A Command
Here we get information on the ssh command:
[root@bigboy tmp]# man ssh SSH(1) BSD General Commands Manual SSH(1) NAME ssh . [root@bigboy tmp]# man -k ssh Tcl_DecrRefCount [Tcl_IsShared] (3) . More secure forms such as SFTP (Secure FTP) and SCP (Secure Copy) are available as a part of the Secure Shell package that is normally installed by default on RedHat. without the –k.OpenSSH SSH client (remote login program) SYNOPSIS ssh [-l login_name] hostname | user@hostname [command] ssh [-afgknqstvxACNPTX1246] [-b bind_address] [-c cipher_spec] [-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec] [-o option] [-p port] [-F configfile] [-L port:host:hostport] [-R port:host:hostport] [-D port] hostname | user@hostname [command] DESCRIPTION ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine.linuxhomenetworking. passwords and data are sent across the network unencrypted. then use the man command with the –k switch. From the command line you issue the man command followed by the Linux command or file you wish to get information about.60
www. Using this information you can use the man command. If you want to get information on the ssh command. then you’d use the command “man ssh”. It is intended to replace rlogin and rsh. to narrow your help search.manipulate Tcl objects
. ssh-add and ssh-agent.
Where is Linux Help?
Linux help files are accessed using the “man” or manual pages. and provide secure encrypted … … … … [root@bigboy tmp]#
Search For All Instances Of A Word
Here we discover that the search string ssh can be found in the TCL man pages and also in a variety of ssh related pages including ssh.com
It is good to remember that FTP isn't very secure as usernames. If you want to search all the man pages for a keyword.

cron.conf file.linuxhomenetworking. but none from the mail. RedHat's /etc/syslog.authpriv.conf configuration file. all messages of severity "info" and above are logged. *. the first lists the facilities and severities of messages to expect and the second lists the files to which they should be logged.mail. Here is a sample: .com
Syslog Facilities
Severity Level 0 1 2 3 4 5 6 7 Keyword emergencies alerts critical errors warnings notifications informational debugging Description System unusable Immediate action required Critical condition Error conditions Warning conditions Normal but significant conditions Informational messages Debugging messages
The files to which syslog will write each type of message received is set in the /etc/syslog. cron or authentication facilities/subsystems.64
www. This may be more suitable for troubleshooting.none /var/log/messages
In this case. By default. Here are some common examples: Files: /var/log/maillog /var/log/httpd/access_log : Mail : Apache web server page access logs
.debug /var/log/messages
Certain applications will additionally log to their own application specific log files and directories independent of the syslog. You can make this logging even more sensitive by replacing the line above with one that captures all messages from debug severity and above in the /var/log/messages file.none.info.none. This file consists of two columns.conf file is configured to put most of the messages the file /var/log/messages.

Chapter 7: Configuring Syslog
65
Directories: /var/log /var/log/samba /var/log/mrtg /var/log/httpd
: Samba messages : MRTG messages : Apache webserver messages
NOTE: The /etc/syslog. Only use tabs on lines that don't start with the "#" comment character. Here’s how to configure your Linux server to start listening for these messages. Grep will help you search for all occurrences of a string in a log file.
Activating Changes To The syslog Configuration File
Changes to /etc/syslog. [root@bigboy tmp]# grep string /var/log/messages | more You can also just use the plain old "more" command to see one screen at a time of the entire log file without filtering with "grep". you can pipe it through the "more" command so that you only get one screen at a time. Spaces in the file will cause unpredictable results. This is probably one of the best troubleshooting tools available in Linux.d/syslog restart
How To View New Log Entries As They Happen
If you want to get new log entries to scroll on the screen as they occur.conf will not take effect until you restart syslog. Another good command to use apart from "tail" is "grep". Here is an example.
. then you can use this command: [root@bigboy tmp]# tail -f /var/log/messages Similar commands can be applied to all log files.conf file is very sensitive to spaces. Here is an example: [root@bigboy tmp]# more /var/log/messages
Logging Syslog Messages To A Remote Linux Server
Configuring the Linux Syslog Server
By default syslog doesn’t expect to receive messages from remote clients. Issue this command to do so: [root@bigboy tmp]# /etc/init.

Remember to restart syslog to make these changes take effect. You now have to configure your remote Linux client to send messages to it. once for klogd to decode. Here are the steps: • • Determine the IP address and fully qualified hostname of your remote logging host Add an entry in the /etc/hosts file in the format IP-address Example: 192.0:* [root@bigboy tmp]#
Configuring the Linux Client
The syslog server is now expecting to receive syslog messages. This is done by editing the /etc/hosts file on the Linux client named smallfry.168.66
www.com bigboy loghost fully-qualified-domain-name hostname "loghost"
Server "bigboy" has now become the remote logging server as its /etc/hosts entry has an alias "loghost" which indicates to syslog that this is a remote syslog server.0.0. Syslog will not listen for remote messages unless the SYSLOGD_OPTIONS variable in this file has a “–r” included in it as shown below.conf file to determine the expected names and locations of the log files it should create.linuxhomenetworking. It also checks the file /etc/sysconfig/syslog to determine the various modes in which it should operate.1.0.
# Options to syslogd # -m 0 disables 'MARK' messages.my-site.com
As we saw previously. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0 -r" # Options to klogd # -2 prints all kernel oops messages twice.0:514 0.
. The server will now start to listen on UDP port 514 which you can verify using either one of the following netstat command variations.0. and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-2"
You will have to restart syslog on the server for the changes to take effect.
[root@bigboy tmp]# netstat -a | grep syslog udp 0 0 *:syslog *:* [root@bigboy tmp]# netstat -an | grep 514 udp 0 0 0.100 bigboy. syslog checks its /etc/syslog.

. you'll have to allow traffic on this port to pass through the security device.. allowing for daily updates. switches.d/lpd restart Stopping lpd: [ OK ] Starting lpd: [ OK ] [root@smallfry tmp]# Linux Server
[root@bigboy tmp]# tail /var/log/messages . The chapter on Miscellaneous Topics has examples of how to configure syslog to do this with Cisco devices using separate log files for the routers..
Logrotate
Logrotate is a Linux utility that renames and reuses system error log files on a periodic basis so that they don't occupy excessive disk space. In the case below the weekly option is "commented out" with a "#". . Apr 11 22:09:35 smallfry lpd: lpd shutdown succeeded Apr 11 22:09:39 smallfry lpd: lpd startup succeeded . [root@bigboy tmp]#
Syslog Configuration and Cisco Network Devices
Syslog reserves facilities "local0" through "local7" for log messages received from remote servers and network devices..
... firewalls and load balancers each logging with a different facility can each have their own log files for easy troubleshooting..
The /etc/logrotate. PIX firewalls. switches. Linux Client [root@smallfry tmp]# /etc/init.conf File
This is logrotate’s general configuration file in which you can specify the frequency with which the files are reused..
Syslog and Firewalls
Syslog listens by default on UDP port 514.. o You can specify either “weekly” or “daily” rotation parameter. If you are logging to a remote syslog server via a firewall. CSS arrowpoints and LocalDirectors. Routers.Chapter 7: Configuring Syslog
67
You can now test to make sure that the syslog server is receiving the messages with a simple test such as restarting the lpd printer daemon and making sure the remote server sees the messages.

pid 2> /dev/null` 2> /dev/null || true endscript }
.d/syslog File (For General System Logging)
/var/log/cisco/* /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.com
o o
The "rotate" parameter specifies the number of copies of log files logrotate will maintain. In the case below the 4 copy option is "commented out" with a "#".6
Sample contents of /etc/logrotate.0 logfile. It is a good practice to verify that all new applications that you want to use the syslog log have configuration files in this directory.5 logfile.conf
# rotate log files weekly #weekly # rotate log files daily daily # keep 4 weeks worth of backlogs #rotate 4 # keep 7 days worth of backlogs rotate 7 # create new (empty) log files after rotating old ones create
The /etc/logrotate.
The /etc/logrotate. while allowing 7 copies.4 logfile.log /var/log/cron { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.linuxhomenetworking. The files will have the following names with "logfile" being current active version:
logfile logfile.1 logfile. Here are some sample files which define the specific files to be rotated for each application. The "create" parameter creates a new log file after each rotation
Therefore our sample configuration file will create daily archives of ALL the logfiles and store them for seven days.3 logfile.2 logfile.68
www.d Directory
Most Linux applications that use syslog will put an additional configuration file in this directory to specify the names of the log files to be rotated.

0.0 up The "up" at the end of the command activates the interface.255.72
www. You can place your IP address information in these files which are then used to auto-configure your NICs when Linux boots.1.1. eth1 uses ifcfg-eth1 .99 Bcast:192.4 Mb) TX bytes:43209032 (41.0.255 Mask:255.0 b) Interrupt:11 Base address:0x1820 lo Link encap:Local Loopback inet addr:127.1.com
collisions:0 txqueuelen:100 RX bytes:0 (0.100 Bcast:192.168.linuxhomenetworking.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:11 Memory:c887a000-c887b000 [root@bigboy tmp]# In this example.0.1 Mask:255.2 Mb) Interrupt:11 Memory:c887a000-c887b000 wlan0:0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5 inet addr:192.255. Interface eth0 has a file called ifcfg-eth0.255 Mask:255.255. Interface wlan0 has an IP address of 192..0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:787 errors:0 dropped:0 overruns:0 frame:0 TX packets:787 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:82644 (80. Here are two samples for interface eth0. eth0 has no IP address as this box is using wireless interface wlan0 as it's main NIC.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:47379 errors:0 dropped:0 overruns:0 frame:0 TX packets:107900 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:4676853 (4.100 and a subnet mask of 255.255.168. the other assumes it requires an IP address assignment using DHCP.168. you could give this eth0 interface an IP address using the ifconfig command.0 You can see that this command gives good information on the interrupts used by each card. Linux also makes life a little easier with interface configuration files located in the /etc/sysconfig/network-scripts directory. one assumes the interface has a fixed IP address.7 Kb) TX bytes:82644 (80.1.0.0.d/rc.255.1.255. [root@bigboy tmp]# ifconfig eth0 10. etc.255.
.0 b) TX bytes:0 (0.255. To make this permanent each time you boot up you'll have to add this command in your /etc/rc.1 netmask 255..local file.0.168. This can also be found in less detail in the file /proc/interrupts
Changing Your IP Address
If you wanted.168.7 Kb) wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5 inet addr:192.

Interface wlan0:0 is actually a "child" of interface wlan0. The ifdown and ifup commands can be used to do this. IP aliasing is one of the most common ways of creating multiple IP addresses associated with a single NIC.1. You can read more about netmasks and DHCP on the introduction to networking chapter.168. Once you change the values in the configuration files for the NIC you'll have to deactivate and activate it for the modifications to take effect.168.1.255. Aliases have the name format "parent-interface-name:X".1.255 IPADDR=192. One's named wlan0 and the other wlan0:0.255.0 ONBOOT=no [root@bigboy network-scripts]#
Getting the IP Address using DHCP [root@bigboy tmp]# cd /etc/sysconfig/network-scripts [root@bigboy network-scripts]# more ifcfg-eth0 DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes [root@bigboy network-scripts]#
As you can see eth0 will be activated on booting as the parameter ONBOOT has the value "yes" and not "no".
.168. [root@bigboy network-scripts]# ifdown eth0 [root@bigboy network-scripts]# ifup eth0
Multiple IP Addresses On A Single NIC
In the previous "determining your IP address" section you may have noticed that there were two wireless interfaces. where "X" is the sub-interface number of your choice.Chapter 8: Linux Networking
73
network-scripts File Formats
Fixed IP Address [root@bigboy tmp]# cd /etc/sysconfig/network-scripts [root@bigboy network-scripts]# more ifcfg-eth0 DEVICE=eth0 BROADCAST=192.0 NETWORK=192. a virtual sub-interface also known as an "IP alias".100 NETMASK=255.

the chapter on RPMs covers how to do this in detail.d/rc. The PPPOE configuration will create a software based virtual interface named ppp0 that will use the physical Internet interface eth0 for connectivity.com
The process for creating an IP alias is very similar to the steps outlined for the real interface in the previous "changing your IP address" section...168.255. ########################################### [100%] 1:rp-pppoe ########################################### [100%] [root@bigboy tmp]#
You’ll then need to go through a number of steps to complete the connection. RedHat Linux installs the rp-pppoe RPM software package required to support this. as of version 8. If you need a refresher.1. Install the package using the following command:
[root@bigboy tmp]# rpm -Uvh rp-pppoe-3.255.rpm. Downloading and installing RPMs isn’t hard. then the configuration steps are the same as those outlined above.74
www.0 is rp-pppoe-3. If you are using a DSL connection with a DHCP or “dynamic” IP address assignment. By default. The latest version of the RPM for RedHat 8.99 \ netmask 255. You plug your ethernet interface into the DSL modem.rpm Preparing. First ensure the "parent" real interface exists Verify that no other IP aliases with the same name exists with the name you plan to use. Remember that you may also need to configure your DNS server correctly.local file to ensure the IP address is assigned properly when you reboot.0 up o You then have the choice of creating a /etc/sysconfig/network-scripts/ifcfg-wlan0:0 file or adding the ifconfig command used above to your /etc/rc.i386. Here’s what you need to do:
. broadcast address and gateway information provided by your ISP and you should have connectivity once you restart your interface. Your ISP will provide you with a PPPoE “username” and “password” which will allow your computer to login transparently to the Internet each time it boots up.i386. In this we want to create interface wlan0:0 Create the virtual interface with the ifconfig command [root@bigboy tmp]# ifconfig wlan0:0 192. configure it with the IP address.4-7.linuxhomenetworking.4-7. subnet mask.0. then the process is different.
o o o
IP Address Assignment For A Direct DSL Connection
If you are using a DSL connection with fixed or “static” IP addresses.

If you want the link to stay up permanently. [root@bigboy network-scripts]# ifdown eth0 [root@bigboy network-scripts]#
o
Run the adsl-setup configuration script [root@bigboy network-scripts]# adsl-setup
o
It will prompt you for your ISP username. [root@bigboy [root@bigboy [root@bigboy ifcfg-eth0 [root@bigboy tmp]# tmp]# cd /etc/sysconfig/network-scripts/ network-scripts]# ls ifcfg-eth0 network-scripts]# cp ifcfg-eth0 DISABLED.Chapter 8: Linux Networking
75
o
Make a backup copy of your ifcfg-eth0 file. DEVICE=eth0 ONBOOT=no
o
Shutdown your eth0 interface. enter the idle time in seconds after which the link should be dropped.) NOTE: Demand-activated links do not interact well with dynamic IP addresses. or stay up continuously? If you want it to come up on demand. First. We’ll use defaults wherever possible.. where 'X' is a number. LOGIN NAME Enter your Login Name (default root): bigboy-login@isp INTERFACE Enter the Ethernet interface connected to the ADSL modem For Solaris. enter 'no' (two letters. it will be ethX. You may have some problems with demand-activated links. Enter the demand value (default no):
.ifcfg-eth0
o
Edit your ifcfg-eth0 file to have no IP information and also to be deactivated on boot time. lower-case.
Welcome to the ADSL client setup. this is likely to be something like /dev/hme0. I will run some checks on your system to make sure the PPPoE client is installed properly. the interface to be used (eth0) and whether you want to the connection to stay up indefinitely.. For Linux. (default eth0): Do you want the link to come up on demand.

com
o
It will then prompt you for your DNS server information. ftp. If you are using SSH.) if you want to allow normal user to start or stop DSL connection (default yes):
o
The rp-pppoe package has two sample ipchains firewall scripts located in the /etc/ppp directory named firewall-standalone and firewall-masq. etc. you must choose 'NONE' and set up firewalling yourself.STANDALONE: Appropriate for a basic stand-alone web-surfing workstation 2 . If you just press enter. If you are running any servers on your machine. however. these will provide basic security. Enter the DNS information here:
o
The script will then prompt you for your ISP password
PASSWORD Please enter your Password: Please re-enter your Password:
o
Then it will ask whether you want regular users (not superuser “root”) to be able to activate/deactivate the new ppp0 interface USERCTRL Please enter 'yes' (two letters. If your ISP claims that 'the server will provide dynamic DNS addresses'. the rules will block outgoing SSH connections which allocate a privileged source port. I will assume you know what you are doing and not modify your DNS setup.conf file. They are very basic and don’t cover rules to make your Linux box a web server. You are STRONGLY recommended to use some kind of firewall rules. I’d recommend selecting “none” and using a variant of the basic script samples in the firewall chapter. 1 . You are responsible for ensuring the security of your machine.
FIREWALLING Please choose the firewall rules to use. If you’re running BIND on your server in a caching DNS mode then you may want to leave this option blank. You are strongly encouraged to use a more sophisticated firewall setup.
DNS Please enter the IP address of your ISP's primary DNS server.MASQUERADE: Appropriate for a machine acting as an Internet gateway for a LAN Choose a type of firewall (0-2): 0
. the firewall rules will deny access to all standard servers like Web. The firewall choices are: 0 . or the more comprehensive one found in the Appendix.76
www. If you want your ISP to automatically provide the IP address of its DNS server then enter the word “server”. This step will edit your /etc/resolv. DNS server nor mail server. e-mail.NONE: This script will not set any firewall rules. enter 'server' (all lower-case) here. lower-case.linuxhomenetworking. Otherwise. Note that these rules are very basic.

Chapter 8: Linux Networking
77
o
You’ll then be asked whether you want the connection to be activated upon booting.
Congratulations. it should be all set up! Type '/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0'to bring it down.pid FIREWALL=NONE
. This command defaults to show information for interface ppp0 and therefore listing the ifcfg-ppp0 filename won’t be necessary in most home enviornments. The first is the ifcfgppp0 file with interface’s link layer connection parameters
[root@bigboy network-scripts]# more ifcfg-ppp0 USERCTL=yes BOOTPROTO=dialup NAME=DSLppp0 DEVICE=ppp0 TYPE=xDSL ONBOOT=yes PIDFILE=/var/run/pppoe-adsl. Type '/sbin/adsl-status /etc/sysconfig/network-scripts/ifcfg-ppp0' to see the link status.bak) (But first backing it up to /etc/ppp/pap-secrets.bak)
o
At the very end it will tell you the commands to use to activate /deactivate your new ppp0 interface and to get a status of the interface’s condition.
Some Important Files Created By adsl-setup
• The adsl-setup script creates three files that will be of interest to you.
** Summary of what you entered ** Ethernet Interface: eth0 User name: bigboy-login@isp Activate-on-demand: No DNS: Do not adjust Firewalling: NONE User Control: yes Accept these settings and adjust configuration files (y/n)? y Adjusting /etc/sysconfig/network-scripts/ifcfg-ppp0 Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets (But first backing it up to /etc/ppp/chap-secrets.
The above example recommends using the adsl-status command with the name of the PPPoE interface configuration file. you’ll get a summary of the parameters you entered and the relevant configuration files will be updated to reflect your choices when you accept them.
Start this connection at boot time Do you want to start this connection at boot time? Please enter no or yes (default no):yes
o
Just before exiting. Most people would say “yes”.

linuxhomenetworking. PPPOE_TIMEOUT=20 LCP_FAILURE=3 LCP_INTERVAL=80 CLAMPMSS=1412 CONNECT_POLL=6 CONNECT_TIMEOUT=60 DEFROUTE=yes SYNCHRONOUS=no ETH=eth0 PROVIDER=DSLppp0 USER= bigboy-login@isp PEERDNS=no [root@bigboy network-scripts]#
•
The others are the duplicate /etc/ppp/pap-secrets and /etc/ppp/chap-secrets files with the username and password needed to login to your ISP. but ppp0 is down [root@bigboy tmp]#
•
After activation. In this case the package has been installed but the interface hasn’t been activated. the interface appears to work correctly.78
www.
.MULTICAST> mtu 1462 inet … … … [root@bigboy tmp]#
•
For further troubleshooting information you can visit the website of rp-ppoe at Roaring Penguin (www.
[root@bigboy network-scripts]# more /etc/ppp/pap-secrets # Secrets for authentication using PAP # client server secret IP addresses "bigboy-login@isp" * "password" [root@bigboy network-scripts]#
Simple Troubleshooting
• You can run the adsl-status command to determine the condition of your connection. adsl-status: Link is attached to ppp0. adsl-status may be inaccurate.roaringpenguin.RUNNING.
[root@bigboy tmp]# adsl-status Note: You have enabled demand-connection.com).POINTOPOINT. There are some good tips there on how to avoid problems with VPN clients.com
PING=. [root@bigboy tmp]# ifup ppp0 [root@bigboy tmp]# adsl-status adsl-status: Link is up and running on interface ppp0 ppp0: flags=8051<UP.

0 netmask 255. This file is used to configure your default gateway each time Linux boots.1.255.0.local.1 Some people don't bother with this step and just place the "route add" command in the file /etc/rc.0 to 10. most PCs would be using the standard ethernet interface eth0.d/rc.168.0.d/rc.0 gw 192.0.168.254 The Linux box used in this example uses interface wlan0 for its Internet connectivity. wlan0 net 10. You may be most likely using interface eth0.1 is connected to the same network as interface wlan0 ! Once done.0 gw 192.local
How Configure Two Gateways
Some networks may have multiple router / firewalls providing connectivity. please adjust your steps accordingly.168.1.0.1. make sure that the router / firewall with IP address 192. Add the new route as follows: route add -net 10. you'll need to update your /etc/sysconfig/network file to reflect the change.0 netmask 255.Chapter 8: Linux Networking
79
How To Change Your Default Gateway
This can be done with a simple command.254 wlan0 The file etc/sysconfig/static-routes will also have to updated so that the route is reinstated when you reboot.1 wlan0 In this case.255.0. NETWORKING=yes HOSTNAME=bigboy GATEWAY=192.0.168. Here is a sample.1.1.0.168. Let's assume that this router has an IP address of 192.1. [root@bigboy tmp]# route add default gw 192.255. Here's a typical scenario: • You have one router providing access to the Internet which you'd like to have as your default gateway (See the default gateway example above) • You also have another router providing access to your corporate network using addresses in the range 10.
.0.0. This example uses a newly installed wireless interface called wlan0. A more complicated /etc/sysconfig/static-routes file is located in a following section.0.254 Some people don't bother with this step and just place the "route add" command in the file /etc/rc.168.

[root@bigboy tmp] echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp [root@bigboy tmp] echo 1 > /proc/sys/net/ipv4/conf/wlan0/proxy_arp (You can determine your network interface names with the ifconfig -a command) There is no purpose built configuration file to force Linux to do proxy ARP on booting.16.16.68.16. Before # Disables packet forwarding #net. Proxy ARP has to be enabled for the Linux box to answer ARP requests.67. In simple terms packet forwarding lets packets flow through the Linux box from one network to another.0 netmask 255.64 netmask 255.224 gw 172.16.255.ip_forward=1 After # Disables packet forwarding net.0.ipv4.67.0 netmask 255.193 [root@bigboy tmp]#
How To Convert Your Linux Server Into A Router
For your Linux server to become a router.16. Proxy ARP activation needs to be done for each ethernet interface on your Linux box.224 gw 172.68.16. This example is for interfaces eth0 and wlan0. All computers that need to communicate with a computer on another network send out an ARP request to get the Ethernet MAC address (separate from the IP address) of the most desirable router in their routing table.0.135 eth0 net 172. To activate the feature immediately you have to create a single lined text file called /proc/sys/net/ipv4/ip_forward and it only contain the value "1".Chapter 8: Linux Networking
81
[root@bigboy tmp]# more /etc/sysconfig/static-routes eth0 net 172.ipv4.ip_forward=1 This will only enable it when you reboot at which time Linux will create a file in one of the subdirectories of the special RAM memory based /proc filesystem.67.16. The best way to do this is put the commands above in your /etc/rc. Remove the "#" from the line related to packet forwarding.local file
. Here is how it's done: [root@bigboy tmp] echo 1 > /proc/sys/net/ipv4/ip_forward The next step needed will be activating proxy ARP.69.255.255.11.69.96 netmask 255.conf. you have to enable packet forwarding.16.69.193 eth1 net 172.255.32 netmask 255.0 gw 172.224 gw 172.0 netmask 255.135 eth1 net 172.193 eth1 net 172.16.67.255.d/rc.16. The configuration parameter to activate this is found in the file /etc/sysctl.160.240. The router will reply with its MAC address which the server will use when forwarding the packet to the router.0 gw 172.255.131 eth0 net 172.224 gw 172.255.0.255.16.255.

0.localdomain localhost
• If you have a NIC card in the server.com
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/wlan0/proxy_arp Remember to configure a default route on your Linux box to point to your Internet gateway. For ease of management. Unfortunately.localdomain hostname Your machine's name is listed with a DNS server IP-address hostname.com hostname
Here are some examples:
. it is best to limit entries in this file to just the loopback interface. you'll have to update file. if the name is found with a corresponding IP address then DNS won't be queried. First determine what your true hostname is: [root@bigboy mail]# hostname bigboy [root@bigboy mail]# o Add the corresponding entry in the /etc/hosts file for the NIC's IP address
o
Your NIC's /etc/hosts File Format
Your machine's name is NOT listed with a DNS server IP-address hostname. You may also want to convert your new Linux router into a firewall to protect your home network.82
www. if the IP address for that host changes. and also the local host's name and use the centralized DNS server handle the rest. The Netfilter iptables pages show how to do this.0. then you have to add another entry in this file. Your server will typically check this file before referencing DNS.1 localhost.
Configuring Your /etc/hosts File
The /etc/hosts lists the name and IP address of local hosts.linuxhomenetworking.my-site. • The /etc/hosts file has the following format: ip-address fully-qualified-domain-name alias1 alias2 alias3 etc • The very first line should always look like this with "localhost" being the only alias: 127.

If you server has multiple names.com with corresponding entries in the DNS zone file for my-site.100 bigboy.my-site.168.168. then just put the two or three aliases that you feel are most important.168.1.168.1.Chapter 8: Linux Networking
83
• Host bigboy with an IP address of 192.
.1.100 isn't part of any DNS domain 192.com bigboy mail www
Note: Only have one line per IP address in this file.com 192.100 bigboy.100 is the mail and web server for domain my-site.1.localdomain bigboy
• Host bigboy with an IP address of 192.

You will eventually find yourself trying to fix a network related problem. Here are some troubleshooting
tips to help you discover what the problem could be.

How To See MAC Addresses
There are times when you lose connectivity with another server that is directly connected to your local network. Taking a look at the ARP table of the server from which you are troubleshooting will help determine whether or not the remote server’s NIC is responding to any type of traffic from your Linux box. Lack of communication at this level may mean: • Either server may be disconnected from the network • There may be bad network cabling • A NIC may be disabled or the remote server may be shut down Here is a description of the commands you may use to determine ARP values • The "ifconfig -a" command will show you both the NIC's MAC address and the associated IP addresses of the server which you are currently logged in to.

How To Use "Ping" To Test Network Connectivity
Whether or not your troublesome server is connected to your local network it is always a good practice to force a response from it. One of the most common methods used to test connectivity across multiple networks is the "ping" command. Ping sends ICMP “echo” type packets that request a corresponding ICMP “echo-reply” response from the device at the target address. As most servers will respond to a ping query it becomes a very handy tool. A lack of response could be due to: • A server with that IP address doesn't exist • The server has been configured not to respond to pings • A firewall or router along the network path is blocking ICMP traffic • You have incorrect routing. Check routes on the local, remote servers and all routers in between. A classic symptom of bad routes on a server is the ability to only ping servers on your local network and nowhere else. There are a variety of ICMP response codes which can help in further troubleshooting. See the appendix for a full listing of them.

Chapter 9: Simple Network Troubleshooting

87

The Linux ping command will send continuous pings, once a second, until stopped with a <Ctrl-C>. Here is an example of a successful ping to the server bigboy at 192.168.1.100 [root@smallfry tmp]# ping 192.168.1.101 PING 192.168.1.101 (192.168.1.101) from data. 64 bytes from 192.168.1.101: icmp_seq=1 64 bytes from 192.168.1.101: icmp_seq=2 64 bytes from 192.168.1.101: icmp_seq=3 64 bytes from 192.168.1.101: icmp_seq=4

Using "traceroute" To Test Connectivity
Another tool for network troubleshooting is the traceroute command. It gives a listing of all the router hops between your server and the target server. This helps you verify that routing over the networks in between is correct. Traceroute works by sending a UDP packet destined to the target with a TTL of "0". The first router on the route recognizes that the TTL has already been exceeded and discards or “drops” the packet, but also sends an ICMP "time exceeded" message back to the source. The traceroute program records the IP address of the router that sent the message and knows that that is the first hop on the path to the final destination. The traceroute program tries again, with a TTL of "1". The first hop, sees nothing wrong with the packet, decrements the TTL to 0 as expected, and forwards the packet to the second hop on the path. Router 2, sees the TTL of "0", drops the packet and replies with an ICMP time exceeded message. Traceroute now knows the IP address of the second router. This continues around and around until the final destination is reached.

Possible Traceroute Messages
Traceroute Symbol *** Description Time exceeded. Could be caused by: • A router on the path not sending back the ICMP "time exceeded" messages • A router or firewall in the path blocking the ICMP "time exceeded" messages • The target IP address not responding Host, network or protocol unreachable Communication administratively prohibited. A router Access Control List (ACL) or firewall is in the way Source route failed. Source routing attempts to force traceroute to use a certain path. Failure may be due to a router security setting

Always Get A Bidirectional Traceroute
It is always best to get traceroutes from the source IP to the target IP and also from the target IP to the source IP. This is because the packet's return path from the target is sometimes not the same as the path taken to get there. A high traceroute time equates to the round trip time for both the initial traceroute query to each “hop” and the response of each “hop”. Here is an example of one such case, using disguised IP addresses and provider names. There was once a routing issue between telecommunications carriers FastNet and SlowNet. When a user at IP address 40.16.106.32 did a traceroute to 64.25.175.200, a problem seemed to appear at the 10th. hop with OtherNet. However, when a user at 64.25.175.200 did a traceroute to 40.16.106.32, latency showed up at hop 7 with the return path being very different. In this case, the real traffic congestion was occurring where FastNet handed traffic off to SlowNet in the second trace. The latency appeared to be caused at hop 10 on the first trace not because that hop was slow, but because that was the first hop at which the return packet traveled back to the source via the congested route. Remember, traceroute gives the packet round trip time. Trace route to 40.16.106.32 from 64.25.175.200 1 0 ms 0 ms 2 0 ms 0 ms 3 0 ms 0 ms [207.174.144.169] 4 0 ms 0 ms 5 0 ms 0 ms 6 0 ms 0 ms 7 0 ms 0 ms 8 30 ms 30 ms 9 30 ms 30 ms 10 1252 ms 1212 ms 11 1252 ms 1212 ms 12 1262 ms 1212 ms 13 1102 ms 1091 ms 0 0 0 0 0 0 0 30 30 1202 1192 1192 1092 [64.25.175.200] [64.25.175.253] border-from-40-tesser.boulder.co.coop.net [64.25.128.126] p3-0.dnvtco1-cr3.othernet.net [4.25.26.53] p2-1.dnvtco1-br1.othernet.net [4.24.11.25] p15-0.dnvtco1-br2.othernet.net [4.24.11.38] p15-0.snjpca1-br2.othernet.net [4.0.6.225] p1-0.snjpca1-cr4.othernet.net [4.24.9.150] h0.webhostinc2.othernet.net [4.24.236.38] [40.16.96.11] [40.16.96.162] [40.16.106.32]

confusion. these include: o Traceroute packets are being blocked or rejected by a router in the path.confusion. Look at the routing table to determine what the next hop is to your intended traceroute target. or the last router that has a valid return path to the server issuing the traceroute.64. The constant activity eventually corrupted the routing tables of one of the routers.confusion.94] rtr-1. Do a traceroute back to your source server. The traceroute will probably fail at the bad router on the return path. Do a traceroute from this router to your intended target server. It’s usually good to: log on to the last visible router.
70 ms 60 ms 70 ms
rtr-1.40.) You may have a typographical error in the IP address of the target server You may have a routing loop in which packets bounce between two routers and never get to the intended destination.net [186.93]
This problem was solved by resetting the routing process on both routers... If this works: Routing to the target server is OK. The problem was initially triggered by an unstable network link that caused frequent routing recalculations..64.64. .. The target server doesn’t exist on the network. It could be disconnected.net [186.Chapter 9: Simple Network Troubleshooting
91
7 70 ms 70 ms 8 60 ms 70 ms 9 70 ms 70 ms .40. (!H or !N messages may be produced. The last visible hop being the last hop in which the packets return correctly. Trace complete.net [186.
o o o o o
. If it doesn’t work: Test the routing table and/or other status of all the hops between it and your intended target. Note: If there is nothing blocking your traceroute traffic. .40.
Possible Reasons For Failed Traceroutes
Traceroutes can fail to reach their intended destination for a number of reasons. The packets don’t have a proper return path to your server. It’s usually good to check the routing table and/or other status of this next hop device...) The network on which you expect the target host to reside doesn’t exist in the routing table of one of the routers in the path (!H or !N messages may be produced. or turned off. The router immediately after the last visible one is usually the culprit. The router immediately after the last visible one is the one at which the routing changes.93] rtr-2. then the last visible router of an incomplete trace is either the last good router on the path. Log on to this next hop router.

com
Viewing Packet Flow With TCPdump
Tcpdump is one of the most popular packages for viewing the flow of packets through your Linux box's NIC card.92
www. Some useful expressions include:
. especially if you are doing simpler types of troubleshooting. You can also use keywords such as "and" or "or" between expressions to further fine tune your selection criteria. These act as filters to limit the volume of data presented on the screen. If this is not specified. Like most Linux commands.linuxhomenetworking. tcpdump uses command line switches to modify the output. Some of the more useful command line switches would include:
Possible TCPdump Messages
tcpdump command switch -c -i -t Description
Stop after viewing count packets. Lack of communication could be due to: • Bad routing • Faulty cables. interfaces of devices in the packet flow • The server not listening on the port because the software isn't installed or started Analyzing tcpdump in much greater detail is beyond the scope of this section. Listen on interface. One of the most common uses of tcpdump is to determine whether you are getting basic two way communication. It is installed by default on RedHat linux and has very simple syntax. then tcpdump will use the lowest numbered interface that is UP Don't print a timestamp at the beginning of each line
You can also add expressions after all the command line switches.

frame dropped.18-14/net/prism2_pci.0 Network controller: BROADCOM Corporation: Unknown device 4301 (rev01) Subsystem: Unknown device 1737:4301 Flags: bus master. Aug 25 21:07:06 hostname kernel: p80211knetdev_hard_start_xmit: Tx attempt prior to association.org site's hardware compatibility page now lists the WMP v2.7) model of the WMP11 card using a Broadcom chipset. Installing the WMP11 v2.7 WMP 11 Card
This card uses the Linux-WLAN compatible Intersil chipset and doesn’t have any version number stamped on it. fast devsel.
Pre Version 2. You may find more information in syslog or the output from dmesg Dec 1 01:28:14 bigboy insmod: /lib/modules/2.4.7 with the linux-WLAN tarball will give the following error in the log file /var/log/messages 00:0c. but the newer version 2. If you don't. the original WMP won’t work without upgrading the firmware. Be careful as this message can also be due to you using an SSID in your configuration files that doesn’t match the SSID of your WAP / wireless router. You can determine whether you have this model by looking for the “V2.o: insmod wlan0 failed
. latency 64. Even so. Linksys launched a Version 2. including invalid IO or IRQ parameters.4. non-prefetchable) [size=3D8K] Capabilities: [40] Power Management version 2 Installing the WMP11 v2.o: init_module: No such device Dec 1 01:28:14 bigboy insmod: Hint: insmod errors can be caused by incorrect module parameters. You’ll have to download and install the latest firmware for a card from the Linksys website.7 card using a Broadcom chipset will not.7 Card
In September 2002. IRQ 5 Memory at f4000000 (32-bit.18-14/net/prism2_pci. The linux-wlan.linuxhomenetworking. your Linux box may not detect your NIC card at all and you will get kernel error messages like this one in /var/log/messages after you finish installing the software.7 with the linux-WLAN tarball using RPMs will give the following error message on the screen: Dec 1 01:28:14 bigboy insmod: /lib/modules/2.7 as being an incompatible device. The older version of the card that uses the Intersil chipset works with Linux.com
The Linksys WMP11 NIC and Linux
You have to be especially carefull with Linksys WMP series of wireless PCI cards.7 (or v2.
The WMP 11 Version 2. then install the card in a windows box and upgrade the firmware.98
www.7” which is very clearly stamped on the front side of these cards.

The Bigboy server discussed in the Topology chapter is running a i586 version of Linux. This step isn't necessary for true PCI cards such as the Linksys WMP11. Always use the most recent versions to reduce the installation mental stress. The latest version as of this writing was: kernel-pcmcia-cs-3. If you need a refresher. OS version and kernel version. the RPM chapter covers how to do this in detail. the default SSID for your windows NIC cards may be different. Remember to download the files for the correct kernel type. RPM versions of the driver files can be found at http://prism2. always use the uname version.raleigh.
Determining The Kernel Type
Use the "uname -p" command.1. This is good to know in order to avoid confusion when troubleshooting. this will have to be done from a source RPM.unixguru. but as a “wlan” device.us.Chapter 10: Linux Wireless Networking
99
Linux-WLAN Preparation
All devices on a wireless network must use the same “Network Identifier” or SSID in order to communicate with each other. The syslog chapter will also show you how to set up syslog error logging to be more sensitive to error types.
PCMCIA Type Card Specific Information
Before installing the linux-wlan software for PCMCIA type cards such as the (Linksys WPC11) you will need to install the RedHat Linux "pcmcia-cs" RPM package. Downloading and installing RPMs isn’t hard. The default SSID for Linux-WLAN is “linux-wlan”.rpm Downloading and installing RPMs isn’t hard.nc. According to the linux-wlan documentation.31-9. You may get "device unknown" or "no such device" errors related to the wlan device in the /var/log/messages file if you use older unpatched versions of the Linux-WLAN software.Using RPMs
2. Linux-WLAN doesn’t identify the wireless NIC as an Ethernet “eth” device. the RPM chapter covers how to do this in detail. Always be prepared to check your syslog /var/log/messages file for errors if things don't work. [root@bigboy tmp]# uname -p i586 [root@bigboy tmp]#
. It’s a good idea to decide on a common SSID and stick with it. If you need a refresher. Once configured.
Installing The Linux-WLAN Drivers
Linux-WLAN Installation . Download the latest version of linux-wlan RPM.i386. It is a good source of information. The Linux version may not match the CPU you have installed.

you'll have to do these steps all over again.rpm [root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-pci-0. Here are examples for a i586 installation using a PCI card on Redhat 8.
. Bigboy is running version 8.140.daily]# more /etc/issue Red Hat Linux release 8. you’ll need to download and install the base. Installing the rpm with --force and --nodeps switches does the trick by forcing the installation while not checking for dependencies. Bigboy is running version 2.18-14 [root@bigboy tmp]# uname -r 2.daily]#
Determining The Kernel Version
You can use the "uname -r" command to do this.rh80.155.15-5.155.linuxhomenetworking.0 [root@bigboy cron.4. In this case.1.0 [root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-0.0 (Psyche) Kernel \r on an \m [root@bigboy cron.1. Once you have all this information.i586.rpm [root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-modules-rh80. I have seen the kernel-wlan-ng-pcmcia rpm installation give errors stating that the kernel-pcmcia-cs rpm hadn't been previously installed even when it had been.1. error messages are there for a reason.100
www.18-14 [root@bigboy tmp]# If you upgrade the version of your Linux.rh80.rpm If you get any error messages during the installation.com
Determining The OS Version
One of the easiest ways is to view the /etc/issue file.opts files which you may have to restore from the automatically saved versions. However.4.rh80.i586. Always remember that under normal circumstances this wouldn’t be a good idea.conf and /etc/pcmcia/wlanng. The combined Linux / Linux-WLAN upgrade will also create new versions of your /etc/sysconfig/network-scripts/ifcfg-wlan0. then you're doing something wrong. 3. /etc/wlan. module and interface packages.i586.

4.linux-wlan..i386.1. then you’ll need to use the TAR file installation method.1.15-6 [root@smallfry tmp]# rpm -Uvh --force --nodeps kernel-wlan-ngpcmcia-0.1.rpm
Download And Install The Linux-WLAN TAR File
Download the latest version of Linux-WLAN from www. you'll probably have to do these steps all over again
Install the Kernel Source Files
Installing Linux-WLAN using TAR files involves compiling the software to make it match the particular flavor of the Linux kernel you are running.1.15-6. Shutting down PCMCIA services: cardmgr modules.. Adjust accordingly.. [root@bigboy tmp]# rpm -Uvh kernel-source-2.1.1.14]# make clean linux-wlan-ng-0.tar tmp]# cd linux-wlan-ng-0.1. For RedHat version 7.Chapter 10: Linux Wireless Networking
101
[root@smallfry tmp]# rpm -Uvh kernel-wlan-ng-pcmcia-0.14-pre1.4.14-pre1.org. Remember that if you upgrade your Linux version or kernel. The default wlan0 network configuration is DHCP. ACHTUNG! ATTENTION! WARNING! YOU MUST configure /etc/pcmcia/wlan-ng.1.gz tmp]# tar -xvf linux-wlan-ng-0.14-pre1. ########################################### [100%] 1:kernel-wlan-ng-pcmcia ########################################### [100%] Adding prism2_cs alias to /etc/modules.rpm error: Failed dependencies: kernel-pcmcia-cs is needed by kernel-wlan-ng-pcmcia-0. It is therefore important to install your kernel sources files.gz Unzip and install the Linux-WLAN files [root@bigboy [root@bigboy [root@bigboy [root@bigboy [root@bigboy tmp]# gunzip linux-wlan-ng-0. The most recent version as of this writing was: linux-wlan-ng-0.14 linux-wlan-ng-0.i686.tar.14]# make config
.18-3.1.3 it was version 2.conf file. Starting PCMCIA services: modules cardmgr.18-3.rpm Preparing.156..i686.tar.opts to match WAP settings!!! [root@smallfry tmp]#
Linux-WLAN Installation – Using TAR files
If you are running a non standard version of your RedHat kernel or using a version of Linux that is incompatible with RPMs. If you are running standard RedHat Linux use the RPMs unless you have excess patience.

com
=========================================== Running “make config” command will prompt you for information: o o o (PCI cards only) Say 'y' to pci and 'n' to pcmcia.1.linuxhomenetworking. and usb driver questions (PCMCIA cards only) Say 'y' to pcmcia and 'n' to pci.1. plx. where “linux-kernel-version“ is the version of the kernel. Add the following 4 lines to the file. Use other defaults =========================================== [root@bigboy linux-wlan-ng-0. Get a directory listing of /lib/modules/ beforehand to make sure you are providing the correct kernel directory that both matches your kernel version and that also actually has files in it.102
www.14]# make all [root@bigboy linux-wlan-ng-0. #!/bin/bash modprobe prism2_pci wlanctl-ng wlan0 lnxreq_ifstate ifstate=enable wlanctl-ng wlan0 lnxreq_autojoin ssid=linux_wlan authtype=opensystem exit 0 Remember to modify the SSID in the above commands to match that of your WAP. and usb driver questions When you are prompted for the "Module install directory" enter /lib/modules/”linux-kernelversion”.conf and insert the following line to load the driver on booting: alias wlan0 prism2_pci 2. Create a startup driver configuration file called wmp11 (or whatever you NIC card is named) in the /etc/init.d/wmp11 3. Edit /etc/modules. You can also test these commands from the command line to see if they work.14]# make install
o
Configure The New wlan0 Interface Driver (PCI Cards)
1.d directory [root@bigboy tmp]# vi /etc/init. The response should be:
. plx. Select only a single module directory as using more than one can lead to future "make" problems.

d/wmp11 S09wmp11
Configure The New wlan0 Interface Driver (PCMCIA Cards)
Open and edit the configuration options file. 4. but applications such as Samba. This may not be a problem for many installations. At this time..conf.d/rc.Chapter 10: Linux Wireless Networking
103
message=lnxreq_autojoin ssid=linksys authtype=opensystem resultcode=success If you get a resultcode=error or something else. When booting. Locate the lines containing "ssid=linux_wlan" and set the SSID to whatever value you’ve decided to use on your wireless LAN.d/wmp11 be run before "S10network" during the boot process. You will need to create a symbolic link called "S09wmp11" to make /etc/init. [root@bigboy [root@bigboy filename) [root@bigboy [root@bigboy [root@bigboy tmp]# cd /etc/rc3.. the system needs to load the drivers for the interface before it will activate the interface.d and /etc/rc5. as it has established a link with the WAP11 access point.local file then you need to ensure that you run your custom driver script before the Linux "network" script starts up the wlan0 interface device you will create later. it may not matter and you could put these commands in your /etc/rc. the "Link" LED on your NIC card will come on solid. may fail to start if the interface is down.d/wmp11 S09wmp11 tmp]# cd /etc/rc5. DHCP server./init. If your applications are set to promiscuous listening.opts.local. which won't work. DNS (named) and SSH.
.d/wmp11 5. Some web sites recommend putting the driver loading commands in /etc/rc. /etc/pcmcia/wlan-ng. when configured to specifically run on the IP address of your interface. Make the file executable so that it will be able to run on the next system reboot. and also it will cause the system to try to bring up wlan0 before the PCMCIA services. but this makes the driver load at the end of the booting process and the wlan0 interface will be inactive till then.d/rc./init. NOTE: Never alias for the PCMCIA cards in /etc/modules.local file instead and save yourself a lot of grief. If you don’t want to use the /etc/rc.d tmp]# ln -s .d is named "S10network". as it is not neccessary. The next step is to create a link to this file in the startup directories. which is the default setting for the applications above. then start over making sure you are using the latest versions of the Linux-WLAN software.d/rc. In RedHat the default network startup script link in /etc/rc3. [root@bigboy tmp]# chmod 755 /etc/init.d tmp]# ls *network*
(Verify the "network"
tmp]# ln -s .

100 NETMASK=255. Edit /etc/sysconfig/network-scripts/ifcfg-eth0 file to have an ONBOOT=no entry.104
www.255. Make sure you have correct gateway statement in your /etc/sysconfig/network file.0 ONBOOT=yes
In the fixed IP version you will also need to: Substitute your selected IP. network.opts file (PCMCIA type NICs) configuration file.com
Post Installation Steps
Configure The New wlan0 Interface
Edit /etc/sysconfig/network-scripts/ifcfg-wlan0 to include the following lines:
DHCP Version ============ DEVICE=wlan0 USERCTL=yes ONBOOT=yes BOOTPROTO=dhcp
Fixed IP Version ================= DEVICE=wlan0 BROADCAST=192.255 IPADDR=192.conf file (PCI type NIC) or your /etc/pcmcia/wlan-ng.1.1
o o
Disable Your Existing Ethernet NIC
You may want to disable your existing eth0 Ethernet interface after installing the drivers.1.1. This will disable the interface on reboot or when /etc/init.0 NETWORK=192. broadcast address with those above.
.168. Locate the lines containing "ssid=linux_wlan" and set the SSID to whatever value you’ve decided to use on your wireless LAN.1.
Select the Wireless mode and SSID
Edit your /etc/wlan.linuxhomenetworking. eg.d/network is restarted.168.255. Also modify the IS_ADHOC option to make your NIC either support "adhoc" mode for peer to peer networks or "infrastructure" mode if you are using a WAP.168. GATEWAY=192.168. netmask.

d/wmp11 [root@bigboy tmp]# /etc/init. n ..d/wlan restart
PCI Cards – Installed Using TAR Files
[root@bigboy tmp]# /etc/init.d/network restart
PCMCIA Cards
[root@bigboy tmp]# /etc/rc. move the card to a different slot. If there is a conflict there will usually be a warning.
.infrastructure #=======INFRASTRUCTURE STATION START=================== # SSID is all we have for now AuthType="opensystem" # opensystem | sharedkey (requires WEP) # Use DesiredSSID="" to associate with any AP in range DesiredSSID="linksys"
Simulate a Reboot
Run the following commands and test for errors in the file /var/log/messages:
PCI Cards – Installed Using RPMs
[root@bigboy tmp]# /etc/init.Chapter 10: Linux Wireless Networking
105
Here is a sample snippet. Insert the card in an empty slot in your Linux box and reboot. #=======SELECT STATION MODE=================== IS_ADHOC=n # y|n..d/pcmcia restart [root@bigboy tmp]# /etc/init.d/network restart Now check to see IP address of the wlan interface is OK [root@bigboy tmp]# ifconfig -a [root@bigboy tmp]# ping <gateway-address>
Check For Interrupt Conflicts
Before installing the software you should ensure that the wireless NIC card doesn’t have an interrupt that clashes with another device in your computer. Inspect your /var/log/messages file again: [root@bigboy tmp]# tail -300 /var/log/messages Look carefully for any signs that the card is interfering with existing card IRQs. If that is the case." message. or "IRQ also used by.adhoc.d/init. y . or otherwise eliminate the conflict by disabling the conflicting device if you don’t really need it.

opts) file and set the PRIV_GENSTR parameter to "". In the example below. You may find the same generator string will not create the same keys. If this is the case. The /etc/wlan. Only migrate to an encrypted design after you are satisfied that the unencrypted design works satisfactorily. and intra-network communication will be impossible.Chapter 10: Linux Wireless Networking
107
Linux-WLAN Encryption For Security
One of the flaws of wireless networking is that all the wireless clients can detect the presence of all available network SSIDs and have the option of joining any of them. you'll have to add them them individually and in sequence to the /etc/wlan. Set genstr or keys. With encryption. Note: I must strongly recommend that you first set up your network without encryption.opts file (PCMCIA type NICs) file is also used to activate this feature. in AP this means WEP # is required for all STAs # If PRIV_GENSTR is not empty. the client must have a membership encryption password which can also be represented as a series of Wireless Encryption Protocol (WEP) keys. use PRIV_GENTSTR to generate # keys (just a convenience) PRIV_GENERATOR=/sbin/nwepgen # nwepgen. dot11WEPDefaultKey0= # format: xx:xx:xx:xx:xx or dot11WEPDefaultKey1= # xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx dot11WEPDefaultKey2= # e. you have to set the "dot11PrivacyInvoked" parameter to "true" and state which of the keys will be used as the default starting key via the "dot11WEPDefaultKeyID" parameter. not both. Neesus compatible PRIV_KEY128=false # keylength to generate PRIV_GENSTR="ketchup" # or set them explicitly.
#=======WEP=========================================== # [Dis/En]able WEP. [root@bigboy tmp]# /sbin/nwepgen ketchup 64:c1:a1:cc:db 2b:32:ed:37:16 b6:cc:9e:1b:37 d7:0e:51:3f:03 [root@bigboy tmp]#
.g. Here is how you can use nwepgen to create the keys with a generator string of "ketchup". You then have the option of either providing a key generating string (simple password) or all four of the keys. To invoke encryption. "ketchup" is the password used to automatically generate the keys.conf (or /etc/pcmcia/wlan-ng. Once you have the four sets of keys. you can use the /sbin/nwepgen program to generate the keys once you provide your easy to remember key generator string. 01:20:03:40:05 or dot11WEPDefaultKey3= # 01:02:03:04:05:06:07:08:09:0a:0b:0c:0d Not all devices on your network will use the same algorithm method to generate the encryption keys. Settings only matter if PrivacyInvoked is true lnxreq_hostWEPEncrypt=false # true|false lnxreq_hostWEPDecrypt=false # true|false dot11PrivacyInvoked=true dot11WEPDefaultKeyID=1 dot11ExcludeUnencrypted=true # true|false.conf file (PCI type NIC) or the /etc/pcmcia/wlanng.

NIC cards without full Linux-WLAN compatibility will freeze up after a number of hours of working with encryption. dot11WEPDefaultKey0= 64:c1:a1:cc:db dot11WEPDefaultKey1= 2b:32:ed:37:16 dot11WEPDefaultKey2= b6:cc:9e:1b:37 dot11WEPDefaultKey3= d7:0e:51:3f:03
Remember that all devices on your network will need to have the same keys and default key for this to work. [root@bigboy tmp]# /etc/init. not both.d/wlan start Starting WLAN Devices:message=lnxreq_hostwep resultcode=no_value decrypt=false encrypt=false [root@bigboy tmp]# ifup wlan0
. The steps to reverse encryption are: o o Set the configuration file parameter "dot11PrivacyInvoked" to "false" Stop Linux-WLAN and disable the wireless wlan0 interface [root@bigboy tmp]# /etc/init. though not active. the driver is still loaded in memory. Your next steps will be to list all the active drivers in memory with the lsmod command.linuxhomenetworking. and remove the Linux-WLAN related entries using rmmod [root@bigboy tmp]# lsmod Module Size … … prism2_pci 66672 p80211 20328 … … Used by Not tainted
1 1
(autoclean) [prism2_pci]
[root@bigboy tmp]# rmmod prism2_pci [root@bigboy tmp]# rmmod p80211 o Restart Linux-WLAN and reactivate the wlan0 interface and you should be functional again. Set genstr or keys.d/wlan stop Shutting Down WLAN Devices:message=lnxreq_ifstate ifstate=disable resultcode=success [root@bigboy tmp]# ifdown wlan0 o Even though you have done these two steps.conf file would look like this:
PRIV_GENSTR="" # or set them explicitly.108
www. This includes all wireless NICs and WAPs
De-activating Encryption
In some cases.com
In this case your /etc/wlan.

result=-110 Jan 2 18:11:18 bigboy kernel: hfa384x_docmd_wait: hfa384x_cmd timeout(1). Jan 2 18:11:18 bigboy kernel: hfa384x_drvr_start: Initialize command failed. then check your /etc/sysconfig/network-scripts/ifcfg-wlan0 file for a correct IP configuration and your routing table to make sure your routes are OK.
. The chapter on logging covers how to do this in more detail. You can also check to see if your Linux box is out or range of the WAP. frame dropped.Chapter 10: Linux Wireless Networking
109
o
If you fail to reload the driver modules you’ll get errors like these below in your /var/log/messages file.
If there are no errors in /var/log/messages and you can’t ping your gateways or obtain an IP address. p80211 Kernel errors in /var/log/messages usually point to an incorrectly configured SSID Nov 13 22:24:54 bigboy kernel: p80211knetdev_hard_start_xmit: Tx attempt prior to association. reg=0x8021. result=110
Troubleshooting Your Wireless LAN
Always check the /var/log/messages file for possible errors arising from the software installation. Jan 2 18:11:18 bigboy kernel: hfa384x_drvr_start: Failed. Jan 2 18:11:12 bigboy kernel: prism2sta_ifstate: hfa384x_drvr_start() failed.

It had a number of limitations.d/iptables restart To get iptables configured to start at boot: [root@bigboy tmp]# chkconfig --level 345 iptables on
Packet Processing In iptables
All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing.
Download And Install The Iptables Package
Most RedHat Linux software products are available in the RPM format. If you need a refresher. As a result of this. the most popular firewall / NAT package running on Linux was ipchains.d/iptables start [root@bigboy tmp]# /etc/init. • A router that will use NAT and port forwarding to both protect your home network and have another web server on your home network while sharing the public IP address of your firewall
What Is iptables?
Originally. the primary one being that it ran as a separate program and not as part of the kernel.
.com
• A firewall while simultaneously being your home website's mail.d/iptables stop [root@bigboy tmp]# /etc/init. Downloading and installing RPMs isn’t hard.0 is iptables-ipv6-1. iptables has now become the default firewall package installed under RedHat Linux.2. Install the package using the following command: [root@bigboy tmp]# rpm -Uvh iptables-ipv6-1. The Netfilter organization decided to create a new product called iptables in order to rectify this shortcoming. web and DNS server. the chapter on RPMs covers how to do this in detail.112
www. For example.6a-2. ########################################### [100%] 1:iptables ########################################### [100%] [root@bigboy tmp]#
How To Get iptables Started
You can start/stop/restart iptables after booting by using the following commands: [root@bigboy tmp]# /etc/init. iptables is considered a faster and more secure alternative.2.rpm Preparing.linuxhomenetworking.rpm. Each of these queue is dedicated to a particular type of packet activity and is controlled by an associated packet transformation / filtering chain.. The latest version of the RPM for RedHat 8. Don’t worry if this all seems confusing.i386.i386. there’ll be tables and examples of how the concepts are all interlinked..6a-2. the chart and graphic below describe the steps taken by iptables when a packet traverses the firewall.

114
www.linuxhomenetworking.com
Processing For Packets Routed By The Firewall
Packet flow Intercepted by iptables chain (Queue) Packet transformation table associated with this queue PREROUTING Description of possible modifications by iptables using this transformation table Modification of the TCP packet quality of service bits. Source network address translation (SNAT) N/A
Packet enters the NIC and is passed to iptables
Mangle
Nat
PREROUTING
Packet passed to the Linux routing engine
N/A
N/A
Packet passed back to iptables
Filter
FORWARD
Nat
POSTROUTING
Packet transmitted out the other NIC
N/A
N/A
. (Rarely used) Destination network address translation (DNAT) N/A Determines whether the packet is destined to a local application or should be sent out another NIC interface Packet filtering: Packets destined for servers accessible by another NIC on the firewall.

Chapter 11: Linux Firewalls Using iptables
115
Packet Processing For Data Received By The Firewall
Packet flow Actions by Operating System Packet intercepted by iptables table (Queue) Packet transformation chain associated with this queue PREROUTING Description of possible modifications by iptables using this transformation table Modification of the TCP packet quality of service bits. The packet is intercepted by the iptables mangle.
. (Rarely used)
Packet destined for firewall
Packet enters the NIC from remote server. then nat queues
mangle
nat
PREROUTING
Destination network address translation (DNAT) Packet filtering: Packets destined for the firewall.
The packet is then passed from iptables to the Linux routing engine. The routing engine passes the packet to the target application via the iptables filter queue
filter
INPUT
The application receives the packet from iptables then processes it.

linuxhomenetworking. (Rarely used)
nat
OUTPUT
Source network address translation (Rarely used) Packet filtering: Packets destined for other servers / devices. nat and filter tables mangle OUTPUT Modification of the TCP packet quality of service bits. Source network address translation (SNAT)
filter
OUTPUT
The packet is then passed to the Linux routing engine which forwards the packet out the correct NIC The packet is intercepted by the iptables nat table
nat
POSTROUTING
Packet transmitted out a NIC
.116
www.com
Packet Processing For Data Sent By The Firewall
Packet flow Actions by Operating System Packet intercepted by iptables table (Queue) Packet transformation chain associated with this queue Description of possible modifications by iptables using this transformation table
The application sends data to a remote server Packet originating from firewall The packet is intercepted by iptables which then processes it in the mangle.

you can create your own chains. These can be accessed by making them the targets of "jumps" in the built-in chains. • Works like the DROP target.Chapter 11: Linux Firewalls Using iptables
117
Targets And Jumps
You don't have to rely solely on the built-in chains provided by iptables. The first will LOG the packet. • The packet is handed over to the end application or the operating system for processing • iptables stops further processing. the second will DROP it. These include: icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-reply
DNAT
• Used to do Destination Network Address Translation. but will also return an error message to the host sending the packet that was blocked N/A Most common options
DROP
N/A
LOG
--log-prefix "string" Tells iptables to prefix all log messages with a user defined string.rewriting the destination IP address of the
--to-destination ipaddress Tells iptables what the destination IP
. There are a number of built-in targets that most rules may use.
Descriptions Of The Most Commonly Used Targets
Target ACCEPT Description • iptables stops further processing. • The packet is blocked • The packet information is sent to the syslog daemon for logging • iptables continues processing with the next rule in the table • As you can't LOG and DROP at the same time. Frequently used to tell why the logged packet was dropped
REJECT
--reject-with qualifier The qualifier tells what type of reject message is returned. it is common to have two similar rules in sequence. the targets/jumps tell the rule what to do with a packet that matches the rule perfectly. ie. So in summary.

linuxhomenetworking.
• Used to do Source Network Address Translation. ie.rewriting the source IP address of the packet • The source IP address is user defined • Used to do Source Network Address Translation.rewriting the source IP address of the packet • By default the source IP address is the same as that used by the firewall's interface
MASQUERADE
[--to-ports <port>[-<port>]] Specifies the range of source ports the original source port can be mapped to. ie.118
www.com
Target packet SNAT
Description
Most common options address should be --to-source <address>[<address>][:<port>-<port>] Specifies the source IP address and ports to be used by SNAT.
.

58 that is reachable via interface eth1.168. The source port is in the range 1024 to 65535 and the destination port is port 80 (www/http)
.58 -o eth1 -p TCP \ -sport 1024:65535 -dport 80 -j ACCEPT In this example iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.1.com
Common TCP and UDP Match Criteria
switches used with -p tcp --sport <port> TCP source port Can be a single value or a range in the format: start-portnumber:end-portnumber TCP destination port Can be a single value or a range in the format: starting-port:endingport Used to identify a new connection request ! --syn means.168.linuxhomenetworking.120
www.1. not a new connection request --sport <port> TCP source port Can be a single value or a range in the format: starting-port:endingport Description switches used with -p udp Description
--dport <port>
--dport <port>
TCP destination port Can be a single value or a range in the format: starting-port:endingport
--syn
Example: iptables -A FORWARD -s 0/0 -i eth0 -d 192.

or an ICMP error.168. Here iptables is being configured to allow the firewall to accept TCP packets to be routed when they enter on interface eth0 from any IP address destined for IP address of 192.58 -i eth1 -p TCP \ -m state --state ESTABLISHED -j ACCEPT This is an expansion on the previous example.443 -j ACCEPT iptables -A FORWARD -d 0/0 -o eth0 -s 192. The source port is in the range 1024 to 65535 and the destination ports are port 80 (www/http) and 443 (https).58 to be accepted too.
.1.168.1.122
www.com
Match extensions used with -m state --state <state>
Description
The most frequently tested states are: ESTABLISHED The packet is part of a connection which has seen packets in both directions NEW The packet is the start of a new connection RELATED The packet is starting a new secondary connection.1. Instead of stating the source and destination ports.
Example: iptables -A FORWARD -s 0/0 -i eth0 -d 192. it is sufficient to allow packets related to established connections using the -m state and --state ESTABLISHED options. This is a common feature of protocols such as an FTP data transfer.168.58 that is reachable via interface eth1.58 -o eth1 -p TCP \ -sport 1024:65535 -m multiport -dport 80.linuxhomenetworking.168.1. We are also allowing the return packets from 192.

In other words.Chapter 11: Linux Firewalls Using iptables
123
Using User Defined Chains
As stated in the introduction. iptables can be configured to have user-defined chains. you can replace a long chain with a main stubby chain pointing to multiple stubby chains thereby shortening the total length of all chains the packet has to pass through. This feature is frequently used to help streamline the processing of packets.110.229.229.2 -j fast-input-queue iptables -A OUTPUT -o eth0 -s 206. For example. instead of having a single chain for all protocols.110. Example: iptables -A INPUT -i eth0 -d 206. it is possible to have a chain that determines the protocol type for the packet and then hands off the actual final processing to a protocol specific chain.2 -j fast-output-queue iptables -A fast-input-queue -p icmp -j icmp-queue-in iptables -A fast-output-queue -p icmp -j icmp-queue-out iptables -A icmp-queue-out -p icmp --icmp-type echo-request \ -m state --state NEW -j ACCEPT iptables -A icmp-queue-in -p icmp --icmp-type echo-reply -j ACCEPT In this example we have six queues with the following characteristics to help assist in processing speed:
Chain INPUT
Description The regular built-in INPUT chain in iptables The regular built-in OUTPUT chain in iptables Input chain dedicated to specific protocols Output chain dedicated to specific protocols Output queue dedicated to ICMP Intput queue dedicated to ICMP
OUTPUT
fast-input-queue
fast-output-queue
icmp-queue-out icmp-queue-in
.

linuxhomenetworking. It shows you how to allow your firewall to: • Be used as a Linux Web / Mail / DNS server • Be the NAT router for your home network • Prevent various types of attacks using corrupted TCP. and if all packets that don't match the "nat" and "mangle" rules are DROP-ped. #!/bin/bash #--------------------------------------------------------------# Load modules for FTP connection tracking and NAT – You may need # them later #--------------------------------------------------------------modprobe ip_conntrack_ftp modprobe iptable_nat #--------------------------------------------------------------# Initialize all the chains by removing all the rules # tied to them #--------------------------------------------------------------iptables --flush iptables -t nat --flush
. UDP and ICMP packets. • Outbound passive FTP access from the firewall There are also simpler code snippets in the Appendix for: • Inbound and outbound FTP connections to / from your firewall
Basic Initialization
It is a good policy.com
Sample iptables Scripts
Here are some sample scripts you can use to get iptables working for you. This chapter also includes other snippets that will help you get basic functionality. then they will not reach the the INPUT. The "filter" table's INPUT. to initialize your chain and table settings with known values. However.d/rc. Additional ALLOW rules should be added to the end of this script snippet. FORWARD and OUTPUT chains should DROP packets by default for the best security.local file so that the firewall script is run every time you boot up. This is because these tables are queried before the "filter" table. in any iptables script you write.124
www. It is best to invoke these from your /etc/rc. You then can use the Appendix to find a detailed script once you feel more confident. FORWARD and OUTPUT chains and won't be processed. it is not good policy to make your "nat" and "mangle" tables DROP packets by default. Pay special attention to the logging example at the end. It should be a good guide to get you started. The "basic initialization" script snippet should also be included in all your scripts to ensure the correct initialization of your chains should you decide to restart your script after startup.

1. eth1 is directly connected to a home network using IP addresses from the 192.0/24 -o eth1
Masquerading (Many to One NAT)
As explained in the Introduction to Networking chapter.168. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed. iptables will have to be configured to allow packets to flow between the two interfaces.168.1. An example follows:
. In other words.0 network. Masquerading also depends on the Linux operating system being configured to support routing between the internet and private network interfaces of the firewall. packets related to NEW and ESTABLISHED connections will be allowed outbound to the Internet. This helps to protect the home network from persons trying to initiate connections from the Internet. More specifically.1.168. traffic from all devices on one or more protected networks will appear as if it originated from a single IP address on the Internet side of the firewall. Further rules will be needed for the interface connected to the Internet to allow only specific ports. #--------------------------------------------------------------# Allow all bidirectional traffic from your firewall to the # protected network # . Once masquerading has been achieved using the POSTROUTING chain of the "nat" table. types of connections and possibly even remote servers to have access to your firewall and home network.Interface eth1 is the private network interface #--------------------------------------------------------------iptables -A INPUT iptables -A OUTPUT -j ACCEPT -p all -s 192.443 --sport 1024:65535
Allow Your Home Network To Access The Firewall
In this example.Chapter 11: Linux Firewalls Using iptables
127
If you want all TCP traffic originating from the firewall to be accepted then you can remove the following section from the snippet above: -m multiport --dport 80. iptables requires the iptables_nat module to be loaded with the "modprobe" command for the masquerade feature to work. This is done using the FORWARD chain of the "filter" table. This is done by enabling "IP forwarding" or routing by giving the file /proc/sys/net/ipv4/ip_forward the value "1" as opposed to the default disabled value of "0".0/24 -i eth1 -j ACCEPT -p all -d 192. while only packets related to ESTABLISHED connections will be allowed inbound. masquerading is another word for what many call "many to one" NAT.

RELATED iptables -A FORWARD -t filter -i eth0 -m --state ESTABLISHED. Here the combination of the firewall's single IP address.128
www. the packets are routed via the filter # table's FORWARD chain. # Allowed outbound: New. then if should be the used as the default gateway for all your servers on the network. the remote server’s IP address and the source/destination port of the traffic can be used to uniquely identify a traffic flow. Port forwarding is handled by the PREROUTING chain of the "nat" table.0/24 -d 0/0 \ -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward #--------------------------------------------------------------# Prior to masquerading. Routing too will have to be allowed in iptables with the FORWARD chain. this would include all NEW inbound connections from the Internet matching the port forwarding port plus all future packets related to the ESTABLISHED connection in both directions. An example follows:
.1.ESTABLISHED.168. established and related connections # Allowed inbound : Established and related connections #--------------------------------------------------------------iptables -A FORWARD -t filter -i eth1 -m --state NEW. As in masquerading.RELATED state \ -j ACCEPT state \ -j ACCEPT
Note: If you configure your firewall to do masquerading.Interface eth0 is the internet interface # . All traffic that matches a particular combination of these factors may then be forwarded to a single server on the private network.
Port Forwarding Type NAT (DHCP DSL)
In many cases home users may get a single DHCP public IP address from their ISP. the iptables_nat module will have to be loaded and routing enabled for port forwarding to work.Interface eth1 is the private network interface #--------------------------------------------------------------iptables -A POSTROUTING -t nat -o eth0 -s 192. If their Linux firewall is their interface to the Internet and they want to host a website on one of the NAT protected home servers then they will have to use the “port forwarding” technique.com
#--------------------------------------------------------------# Load the NAT module #--------------------------------------------------------------modprobe iptable_nat
#--------------------------------------------------------------# Allow masquerading # Enable routing by modifying the ip_forward /proc filesystem file # .linuxhomenetworking.

168.253.100 to 102).253.1.101 # 97.168.158.130
www.Interface eth0 is the internet interface # . only connections on ports 80.100 nat -A PREROUTING -d 97.168.com
Static NAT
In this example.1.29 # # . MASQUERADE isn't recommended to be used as it will force masquerading as the IP address of the primary interface and not any of the alias IP addresses it may have.253.29
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.26 -i eth0 \ DNAT --to-destination 192. is NAT-ted to a single server on the protected subnet.168.1.158.253.168.Interface eth1 is the private network interface #--------------------------------------------------------------iptables -t -j iptables -t -j iptables -t -j nat -A PREROUTING -d 97.linuxhomenetworking.253.102 # # SNAT is used to NAT all other outbound connections initiated # from the protected network to appear to come from # IP address 97.158.1.443 and 22 are allowed through by the FORWARD chain.158.1. all traffic to a particular public IP address.27 Anywhere 192.158.1.28 Anywhere 192.253.0/24 \ -j SNAT -o eth1 --to-source 97.158.27 -i eth0 \ DNAT --to-destination 192. SNAT is therefore used to specify the alias IP address to be used for connections initiated by all other servers in the protected net.168. not just to a particular port.1.26 Anywhere 192.253.158.101 nat -A PREROUTING -d 97.168.168.1. As the firewall has more than one IP address.100 \
. #--------------------------------------------------------------# Load the NAT module #--------------------------------------------------------------modprobe iptable_nat
#--------------------------------------------------------------# Enable routing by modifying the ip_forward /proc filesystem file #--------------------------------------------------------------echo 1 > /proc/sys/net/ipv4/ip_forward #--------------------------------------------------------------# NAT ALL traffic: # # TO: FROM: MAP TO SERVER: # 97.102
iptables -A POSTROUTING -s 192.28 -i eth0 \ DNAT --to-destination 192.1.158.168. Note that though the "nat" table NATs all traffic to the target servers (192.253.100 # 97.

you’ll find yourself logging both desired and unwanted traffic with no way of discerning between the two as by default iptables doesn’t state why the packet was logged in its log message.22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.102 on the home network.RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state \ --state ESTABLISHED. automatically writes an entry to the /var/log/messages file and then executes the next rule.ESTABLISHED.
Therefore if you want to log only unwanted traffic then you have to add a matching rule with a DROP target immediately after the LOG rule. You should be aware that the LOG target: o o will log all traffic that matches the iptables rule in which it is located.443.
o
.168.
#--------------------------------------------------------------# Log and drop all other packets to file /var/log/messages # Without this we could be crawling around in the dark #--------------------------------------------------------------iptables -A OUTPUT -j LOG iptables -A OUTPUT -j LOG iptables -A FORWARD -j LOG iptables -A INPUT -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP Here are some examples of the output of this file: Firewall denying replies to DNS queries (UDP port 53) destined to server 192.168.22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A FORWARD -t filter -i eth1 -m state \ --state NEW.RELATED -j ACCEPT
Logging & Troubleshooting
You track packets passing through the iptables list of rules using the LOG target. This example logs a summary of failed packets to the file /var/log/messages. You can use the contents of this file to determine what TCP/UDP ports you need to open to provide access to specific traffic that is currently stopped.101 \ -m multiport --dport 80.443.1.102 \ -m multiport --dport 80.1. If you don’t.168.22 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.443.Chapter 11: Linux Firewalls Using iptables
131
-m multiport --dport 80.1.

1.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 o Firewall denying Network Time Protocol (NTP UDP port 123) Feb 23 20:58:48 bigboy kernel: IN= OUT=wlan0 SRC=192. Therefore you should check your INPUT. and if it is not.93.1. Basic NAT testing will require you to ask a friend to try to connect to your home network from the Internet.100 DST=192.168. FORWARD and NAT related statements. OUTPUT statements If nothing shows up in the logs. you won’t be able to access the public NAT IP addresses from servers on your home network.linuxhomenetworking.1.102 LEN=220 TOS=0x00 PREC=0x00 TTL=54 ID=30485 PROTO=UDP SPT=53 DPT=32820 LEN=200 o Firewall denying Windows NetBIOS traffic (UDP port 138) Feb 23 20:43:08 bigboy kernel: IN=wlan0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:25:09:6a:b5:08:00 SRC=192.132
www.168.1. If the firewall’s IP address is involved.com
Feb 23 20:33:50 bigboy kernel: IN=wlan0 OUT= MAC=00:06:25:09:69:80:00:a0:c5:e1:3e:88:08:00 SRC=192.168.42.200. You can then use the logging output in /var/log/messages to make sure that: o o the translations are occurring correctly and iptables isn’t dropping the packets after translation occurs
. the location your network that could be causing the problem. then you should focus on the INPUT.81. Troubleshooting NAT: As a general rule.30 DST=192. OUTPUT.168.102 DST=207. then follow the steps in the Network Troubleshooting chapter to determine whether the data is reaching your firewall at all.113 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Note: The traffic in all these examples isn’t destined for the firewall.

255.134
www.105 Trying 192.168.0 Gateway 0.0. A more secure method for remote logins would be via Secure Shell (SSH) which uses varying degrees of encryption.105.0 127.1.0 0.0.255 255.1.0 0.168. The user looks at the routing table and then logs out.my-site.0.255.0.com
Telnet
What is Telnet?
Telnet is a program that allows users to log into your server and get a command prompt just as if they were logged into the VGA console. [root@bigboy root]#
.255.0.255 192.168.1.168.0 192.0.0.168.1.255.0 0. Here is an example of someone logging into a remote server named "smallfry" from server "bigboy". Connected to 192. Escape character is '^]'.0 0..0.0.18-14 (smallfry.0.1 Genmask 255. [peter@smallfry peter]$ [peter@smallfry peter]$ netstat -nr Kernel IP routing table
Destination 255. One of the disadvantages of Telnet is that the data is sent as clear text. [root@bigboy root]# telnet 192. 05 January 2003) Login: peter Password: Last login: Fri Nov 22 23:29:44 on ttyS0 You have new mail. This means that it is possible for someone to use a network analyzer to peek into your data packets and see your username and password.linuxhomenetworking.255. The command to do remote logins via telnet from the command line is simple.0 Flags UH U U UG MSS 40 40 40 40 Window 0 0 0 0 irtt 0 0 0 0 Iface wlan0 wlan0 lo wlan0
[peter@smallfry peter]$ exit logout Connection closed by foreign host.. Telnet is installed and enabled by default on RedHat Linux.com) (10:35 on Sunday.0.0.4.0.105.0 255.0. You enter the word "telnet" and then the IP address or server name to which you want to connect. Linux 2.1.255.

Chapter 12: Telnet. configurations can be loaded from the server to the network device.
. The reverse is also true. A common use of this reverse TFTP is the application of access control lists (ACLs) and even passwords from a centralized file.
# default: on # description: The telnet server serves telnet sessions. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in. A remotely stored configuration file is always good to have. [root@bigboy tmp]# /etc/init. TFTP and XINETD
135
Setting Up A Telnet Server
By default Telnet is installed enabled on RedHat Linux. it uses \ # unencrypted username/password pairs for authentication.telnetd log_on_failure += USERID disable = yes } You'll then have to restart xinetd for the new settings to take effect.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@bigboy tmp]#
TFTP
What is TFTP?
Cisco and other networking equipment manufacturers allow you to backup live configurations from routers and switches to workstations via the TFTP protocol. You can test whether the Telnet process is running with the following command which is used to check the TCP/UDP ports on which your server is listening: [root@bigboy root]# netstat -a | grep telnet tcp 0 0 *:telnet *:* [root@bigboy root]#
LISTEN
If you want to disable Telnet then edit the file /etc/xinetd.d/telnet and set the disable parameter to "yes".

com
Setting up a TFTP server
Most RedHat Linux software products are available in the RPM format.1.1.168. If you need a refresher. # default: off # description: The tftp server serves files using the trivial # file transfer \ # protocol.rpm o Edit the file /etc/xinetd.0 is tftp-server0. Downloading and installing RPMs isn’t hard. the chapter on RPMs covers how to do this in detail.1.tftpd server_args = -s /tftpboot disable = no per_source = 11 cps = 100 2 } In this example. service tftp { socket_type = dgram protocol = udp wait = yes user = root only_from = 192. xinetd will only allow the TFTP server to accept connections from the router / switch / firewall with an address of 192.i386. Create a /tftpboot directory with global read write privileges [root@bigboy tmp]# chmod 777 /tftpboot o Restart xinetd [root@bigboy tmp]# /etc/init.29-3.d/tftp and set disable to "no". Here are the steps to setting up the software: Install the package using the following command: [root@bigboy tmp]# rpm -Uvh tftp-server-0.1 server = /usr/sbin/in.136
www.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@bigboy tmp]#
o
o
. download configuration files to # network-aware printers. You can extend this list with commas in between or just comment it out al together for global access. \ # and to start the installation process for some operating systems. The latest TFTP server version of the RPM for RedHat 8.29-3. The tftp protocol is often used to boot diskless \ # workstations.linuxhomenetworking.168.

Using TFTP To Restore Your Router Configuration
One of the benefits of having a TFTP server is that you can save your configuration files on a remote server's hard disk. This can be very useful in the event of a router failure after which you need to reconfigure the device from scratch. One of the simplest ways of doing this using TFTP is to: o o o o o Connect your router to the local network of the TFTP server Give your router the bare minimum configuration that allows it to ping your TFTP server. (No access controls or routing protocols) Use the copy command to copy the backup configuration from the TFTP server to your startup configuration in NVRAM. Disconnect the router from the network Reload the router without saving the live running configuration to overwrite the startup configuration. On rebooting, the router will copy the startup configuration stored in NVRAM into a clean running configuration environment Log into the router via the console and verify the configuration is OK Reconnect the router to the networks on which it was originally connected

This chapter will show you how to convert your Linux box into an FTP server using the VSFTP package.
The RedHat software download site runs on VSFTP.

FTP Overview
File Transfer Protocol (FTP) is a common method of copying files between computer systems. Two TCP ports are used to do this:

142

www.linuxhomenetworking.com

FTP Control Channel - TCP Port 21
All commands you send and the ftp server's responses to those commands will go over the control connection, but any data sent back (such as "ls" directory lists or actual file data in either direction) will go over the data connection.

FTP Data Channel - TCP Port 20
Used for all data sent between the client and server.

Active FTP
Active FTP works as follows: o o Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over this connection. Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port on the client. Thus the 'ls' listing that you asked for comes back over the "port 20 to high port connection", not the port 21 control connection. FTP active mode data transfer therefore does this in a counter intuitive way to the TCP standard as it selects port 20 as it's source port (not a random high port > 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.

o o

Chapter 13: Linux FTP Server Setup

143

o

Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.

Passive FTP
Passive FTP works as follows: o o Your client connects to the FTP server by establishing a FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over that connection. Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server. Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers. Passive FTP works better for clients protected by a firewall as the client always initiates the required connections.

o o

Problems With FTP And Firewalls
FTP frequently fails when the data has to pass through a firewall as FTP uses a wide range of unpredictable TCP ports and firewalls are designed to limit data flows to predictable TCP ports. There are ways to overcome this as explained in the following sections. The Appendix has examples of how to configure the iptables Linux filewall to function with both active and passive FTP.

Client Protected By A Firewall Problem
Typically firewalls don't let any incoming connections at all, this will frequently cause active FTP not to function. This type of FTP failure has the following symptoms: o The active ftp connection appears to work when the client initiates an outbound connection to the server on port 21. The connection appears to hang as soon as you do an "ls" or a "dir" or a "get". This is because the firewall is blocking the return connection from the server to the client. (From port 20 on the server to a high port on the client)

Solutions
Here are the general firewall rules you'll need to allow FTP clients through a firewall:

Required Rules for FTP Method Source Address Source Port Destination Address Destination Port Connection Type
Allow outgoing control connections to server Control Channel FTP client/ network FTP server** High FTP server** 21 New
21
FTP client/ network
High
Established*
Allow the client to establish data channels to remote server Active FTP FTP server** 20 FTP client /network FTP server** High New
FTP client/ network Passive FTP FTP client/ network FTP server**
High
20
Established*
High
FTP server**
High
New
High
FTP client/ network
High
Established*
*Many home based firewall/routers automatically allow traffic for already established connections.144
www. not just a specific client server or network. This rule may not be necessary in all cases.com
Client Protected by Firewall .
Server Protected By A Firewall Problem
o Typically firewalls don't let any connections come in at all. FTP server failure due to firewalls in which the active ftp connection from the client doesn't appear to work at all
Solutions
Here are the general firewall rules you'll need to allow FTP severs through a firewall
.linuxhomenetworking. ** in some cases. you may want to allow all Internet users to have access.

How To Download And Install The VSFTP Package
• As explained previously.i386. the VSFTP RPM file is named: vsftpd-1. not just a specific client server or network. If you need a refresher.rpm Downloading and installing RPMs isn’t hard. In version 8. you may want to allow all Internet users to have access.0-1. • Now download the file to a directory such as /tmp and install it using the “rpm” command:
.0 of the operating system.1. RedHat software is installed using RPM packages. This rule may not be necessary in all cases.Required Rules for FTP Method Source Address Source Port Destination Address Destination Port Connection Type
Allow incoming control connections to server Control Channel FTP client/ network** FTP server High FTP server 21 New
21
FTP client/ network**
High
Established*
Allow server to establish data channel to remote client Active FTP FTP server 20 FTP client/network** FTP server High New
FTP client/ network** Passive FTP FTP client/ network** FTP server
High
20
Established*
High
FTP server
High
New
High
FTP client/ network**
High
Established*
*Many home based firewall/routers automatically allow traffic for already established connections. ** in some cases.Chapter 13: Linux FTP Server Setup
145
Server Protected by Firewall . the RPM chapter covers how to do this in detail.

d directory.
Testing To See If VSFTP Is Running
You can always test whether the VSFTP process is running by using the netstat –a command which lists all the TCP and UDP ports on which the server is listening for traffic.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@aqua tmp]# Naturally..d/vsftpd. The example below shows the expected output.146
www.com
[root@bigboy Preparing. so you’ll have to edit this file to start the program. The disable feature must be set to "no" to accept connections.linuxhomenetworking. there would be no output at all if VSFTP wasn’t running. to disable VSFTP once again. VSFTP is deactivated by default. 1:vsftpd [root@bigboy
tmp]# rpm -Uvh vsftpd-1.0-1. [root@aqua tmp]# /etc/init. set “disable” to “yes” and restart xinetd. Make sure the contents look like this.d/vsftpd file.i386. you’ll have to edit /etc/xinetd..rpm ########################################### [100%] ########################################### [100%] tmp]#
How To Get VSFTP Started
The starting and stopping of VSFTP is controlled by xinetd via the /etc/xinetd.1. [root@bigboy root]# netstat -a | grep ftp tcp 0 0 *:ftp [root@bigboy root]#
*:*
LISTEN
. service ftp { disable = no socket_type = stream wait = no user = root server = /usr/sbin/vsftpd nice = 10 }
You will then have to restart xinetd for these changes to take effect using the startup script in the /etc/init.

. .. As seen in the chapter on RPMs.conf configuration file when it starts. Unlike regular FTP where you login with a userspecific username.. ... Common uses include downloading software updates and MP3s to uploading diagnostic information for a technical support engineer’s attention. I would suggest turning this off.. This file uses a number of default settings you need to know.. # (Needed even if you want local users to be able to upload files) write_enable=YES . so you’ll have to restart xinetd each time you edit the file in order for the changes to take effect. # Uncomment to allow the anonymous FTP user to upload files. . VSFTP can be configured to support user based and or anonymous FTP in its configuration file.. you’ll automatically have access to only the default anonymous FTP directory /var/ftp and all its subdirectories. Once logged in to a VSFTP server.
The /etc/vsftpd. # Uncomment this to allow local users to log in.. By default VSFTP only allows anonymous FTP downloads to remote users.. # Uncomment this if you want the anonymous FTP user to be able to create # new directories. Also. The configuration file’s anonymous_enable instruction can be commented out using a “#” to disable this feature. you will # obviously need to create a directory writable by the FTP user.. Also by default.Chapter 13: Linux FTP Server Setup
147
What Is Anonymous FTP?
Anonymous FTP is used by web sites that need to exchange files with numerous unknown remote users. using anonymous FTP as a remote user is fairly straight forward. By default. # Uncomment this to enable any form of FTP write command. VSFTP runs as an anonymous FTP server.. The configuration file is fairly straight forward as you can see in the snippet below. # Allow anonymous FTP? anonymous_enable=YES . VSFTP doesn't allow remote users to create directories on your FTP server and it logs FTP access to the /var/log/vsftpd.conf File
VSFTP only reads the contents of its /etc/vsftpd.log log file. anonymous FTP only requires a username of "anonymous" and your email address for the password.
.. Unless you want any remote user to log into to your default FTP directory... not uploads from them. . Remove/add the "#" at the beginning of the line to "activate/deactivate" the feature on each line. local_enable=YES .. This only # has an effect if global write enable is activated. #anon_upload_enable=YES .

# You may override where the log file goes if you like.com
#anon_mkdir_write_enable=YES . #xferlog_file=/var/log/vsftpd. . # The default is shown# below..
Anonymous Upload
If you want remote users to write data to your FTP server then it is recommended you create a write-only directory within /var/ftp/pub. ftpd_banner= New Banner Here
Using SCP As Secure Alternative To FTP
One of the disadvantages of FTP is that it does not encrypt your username and password..log
FTP Security Issues
The /etc/vsftpd. . SCP however does not support anonymous services.ftpusers File
For added security you may restrict FTP access to certain users by adding them to the list of users in this file. it is best to add... but not access other files uploaded by other users.. This could make your user account vulnerable to an unauthorized attack from a person eavesdropping on the network connection.. Secure Copy (SCP) provides encryption and could be considered as an alternative to FTP for trusted users. # Activate logging of uploads/downloads. xferlog_enable=YES ..
.conf to make it harder for malicious users to determine the type of system you have.linuxhomenetworking. a feature that FTP does. This will allow your users to upload.. Do not delete entries from the default list.148
www. Here are the commands to do this: [root@bigboy tmp]# mkdir /var/ftp/pub/upload [root@bigboy tmp]# chmod 733 /var/ftp/pub/upload
FTP Greeting Banner
Change the default greeting banner in /etc/vsftpd.

linuxhomenetworking.
.0. This provides an encrypted data stream for you to use when you log in from one machine to another.d/sshd start [root@bigboy tmp]# /etc/init. Uncommented options change a default value.d/sshd restart Remember to restart the SSH process every time you make a change to the configuration files for the changes to take effect on the running process. see the references in the bibliography. By default SSH listens on all your NICs and uses TCP port 22.1 #ListenAddress 0.
#Port 22 #Protocol 2.d/sshd stop [root@bigboy tmp]# /etc/init. There are GUI based SSH clients available for Windows. then you can change port 22 to something else that won't interfere with other applications on your system. but leave them commented.com
RedHat Linux comes standard with Secure Shell (SSH) installed. [root@bigboy tmp]# chkconfig --level 35 sshd on • You can also start/stop/restart SSH after booting by running the sshd initialization script. such as port 435 • First make sure your system isn't listening on port 435. You should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep sshd
The etc/ssh/sshd_config File
The SSH configuration file is called /etc/ssh/sshd_config.0 #ListenAddress :: If you are afraid of people trying to hack in on a well known TCP port. [root@bigboy tmp]# /etc/init. using the "netstat" command and using "grep" to filter out everything that doesn't have the string "435". When logging in from another Linux/UNIX machine you use the "ssh" command.154
www. See the configuration snippet below: # # # # The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible.0. • You can get SSH configured to start at boot by using the chkconfig command.
Testing To See If SSH Is Running
You can test whether the SSH process is running with the following command.

OK.Chapter 14: Secure Remote Logins And File Copying
155
[root@bigboy root]# netstat -an | grep 435 [root@bigboy root]# • No response. Here are some examples for a server named “smallfry” in your /etc/hosts file. your username will not change.d/sshd restart • Check to ensure SSH is running on the new port [root@bigboy root]# netstat -an | grep 435 tcp 0 0 192.
User “root” Logs In To smallfry As User “root”
[root@bigboy tmp]# ssh smallfry
User “root” Logs In To smallfry As User “peter”
Using default port 22
[root@bigboy tmp]# ssh -l peter smallfry
Using port 435
[root@bigboy tmp]# ssh -l peter -p 435 smallfry
What You Should Expect To See When You Log In
The first time you log in. If you leave out the "-l". If port 435 is being used.0. Something like this:
. you will get a warning message saying that the remote host doesn't know about your machine. To login from another Linux box use the "ssh" command with a "-l" to specify the username you wish to login as.0.168.1. Port 435 • Restart SSH [root@bigboy tmp]# /etc/init.0:* [root@bigboy root]#
LISTEN
Using SSH To Login To A Remote Machine
Using SSH is similar to Telnet.100:435 0. pick another port and try again. Change the Port line in /etc/ssh/sshd_config to mention 435 and remove the "#" at the beginning of the line.

Xinetd is installed by default in RedHat 7.156
www. [root@bigboy tmp]# /etc/init.d/telnet and set the disable parameter to "yes". The Telnet server is controlled by the xinetd network security program.168.linuxhomenetworking.3 and newer. It is !! highly advisable to turn StrictHostKeyChecking to "yes" and !! manually copy host keys to known_hosts. [root@smallfry tmp]#
Deactivating Telnet once SSH is installed
Now you need to switch off Telnet.98 No mail.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@bigboy tmp]#
. it uses \ # unencrypted username/password pairs for authentication. Are you sure you want to continue connecting (yes/no)? yes Host 'smallfry' added to the list of known hosts. # default: on # description: The telnet server serves telnet sessions. The configuration files for each of the network programs it controls is located in the /etc/xinetd.d directory. root@smallfry's password: Last login: Thu Nov 14 10:18:45 2002 from 192. !! If host key is new or changed. ssh1 protocol is vulnerable to an !! attack known as false-split. which makes it relativily easy to !! hijack the connection without the attack being detected.1. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.com
[root@bigboy tmp]# ssh smallfry Host key not found from the list of known hosts. Edit the file /etc/xinetd.telnetd log_on_failure += USERID disable = yes }
Now restart xinetd.

passwords and data are sent across the network unencrypted.Chapter 14: Secure Remote Logins And File Copying
157
Using SCP as a more secure replacement for FTP
From a networking perspective. There is a windows scp client called WinSCP which can be downloaded at: http://winscp. More secure forms such as SFTP (Secure FTP) and SCP (Secure Copy) are available as a part of the Secure Shell package that is normally installed by default on RedHat.vse.1.cz/eng/ Secure Copy (SCP) is installed in parallel with SSH and they always run simultaneously on the same TCP port. [root@bigboy tmp]# scp /etc/hosts root@192.
Copying Files To The Local Linux Box
Command Format:
scp username@address:remotefile localdir Example: Copy file /tmp/software.103:/tmp
.168.rpm /usr/rpm
Copying Files To The Remote Linux Box
Command Format:
scp filename username@address:remotedir Example: Copy file /etc/hosts on the local machine to directory /tmp on the remote server. FTP isn't very secure as usernames.rpm on the remote machine to the local directory /usr/rpm [root@bigboy tmp]# scp root@smallfry:/tmp/software. SCP doesn't support anonymous downloads like FTP.

d/smb restart • Remember to restart the smb process every time you make a change to the conf file for the changes to take effect on the running process.2.5-10.
Download and Install Packages
Samba is comprised of a suite of RPMs that come on the RedHat CDs. For added security you can make your Samba and Linux passwords different.conf using a text editor or using the easier web based SWAT utility. Samba Domains and Linux share the same usernames so you can log into the Samba based Windows domain using your and immediately gain access to files in your Linux user’s home directory. Linux functionality doesn’t disappear when you do this.5-10. Samba mimics a Windows PDC in almost every way needed for simple file sharing. When Samba starts up it reads the configuration file /etc/samba/smb.5-10.2. the RPM chapter covers how to do this in detail.conf to determine its various modes of operation.160
www.i386.5-10.i386.
How To Get SAMBA Started
• You can configure Samba to start at boot time using the chkconfig command: [root@bigboy tmp]# chkconfig --level 35 smb on • You can start/stop/restart Samba after boot time using the smb initialization script as in the examples below: [root@bigboy tmp]# /etc/init.rpm
Downloading and installing RPMs isn’t hard.d/smb stop [root@bigboy tmp]# /etc/init. Explanations of how to use both SWAT and a text editor to configure Samba are given in this chapter. Install all the packages in this order: [root@bigboy [root@bigboy [root@bigboy [root@bigboy tmp]# tmp]# tmp]# tmp]# rpm rpm rpm rpm -Uvh -Uvh -Uvh -Uvh samba-2. You can create your own smb.conf with a text editor if you subsequently use SWAT to edit it.i386. • You can test whether the smb process is running with the following command.0 was version 2. Keep in mind that you will lose all your comments inserted in /etc/samba/smb.2. As of this writing.d/smb start [root@bigboy tmp]# /etc/init. you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep smb
.rpm samba-client-2.2.linuxhomenetworking.rpm samba-swat-2.com
This chapter will only cover the much more popular PDC methodology used at home. By default.5-10. the latest version of the Samba suite for RedHat 8. If you need a refresher.2.i386.rpm samba-common-2.

1.1. Here’s an example of an entry to allow connections only from 192.168. Unfortunately it doesn't encrypt your login password. • The disable parameter must be set to "no" to accept connections.1.d/swat. Here are some ways to solve the problem with two popular packages.100 from PC 192. especially as there are only two entries of interest.100:901
Samba and PC Firewall Software
Firewall software installed on Windows PCs may cause Samba to not function.
. • By default.168.Chapter 15 : Windows. This may be a security concern in a corporate environment.1.168. Because of this.3 and localhost: only_from = localhost. The URL must point to your localhost IP address on port 901 (http://127.0. Linux And Samba
161
Configuring SWAT
SWAT is a very intuitive web based Samba configuration tool that allows you to configure Samba without all the memorization of the keywords needed for text based configuration.1.3 using the URL http://192. Here is a sample.0:901) as defined by the only_from and port parameters.0. The enabling/disabling. You can make SWAT accessible from other servers by adding IP address entries separated to the only_from parameter. you can only log into SWAT from the VGA console as user "root".168. 192. service swat { port socket_type protocol wait user server log_on_failure disable only_from }
= 901 = stream = tcp = no = root = /usr/sbin/swat += USERID = no = localhost
The formatting of the file is fairly easy to understand.168. starting and stopping of SWAT is controlled by xinetd via a configuration file named /etc/xinetd. you may want to create a Samba administrator user that has no root privileges whatsoever or do your configuration using the configuration files.3 Therefore in this case you can also configure Samba on your Linux server "Bigboy" IP with address 192.

The NetBIOS traffic that Samba uses to communicate with the PCs on the network will therefore be considered as hostile traffic.com
Zone Alarm
The default installation of Zone Alarm assumes that your PC is directly connected to the Internet.0 type entry. Uncheck the Internet Connection Firewall box and it will be turned on.x/255. This means that the software will deny all inbound connections that attempt to connect with your PC. This can be done by clicking on the firewall tab and editing the settings for your home network that will most likely have a 192. Right click your on your LAN connection icon and select Properties Click on the Advanced tab.168. Make this network a trusted network. The easiest way around this is to configure Zone Alarm to consider your home network as a trusted network too.x.
Once you get SAMBA to work.linuxhomenetworking.255. Here is how it's done:
Create The Administrator’s User Group and Directories
o First create a Linux group for administrators: [root@bigboy tmp]# /usr/sbin/groupadd sysadmin o Then create a Linux directory to house all the administrator directories: [root@bigboy tmp]# mkdir /home/sysadmin [root@bigboy tmp]# chgrp sysadmin /home/sysadmin [root@bigboy tmp]# chmod 0770 /home/sysadmin
. you may want to experiment with the firewall software settings to optimize your security with the need to maintain a valid relationship with the SAMBA server
How To Create A Samba PDC Administrator User
To do both SWAT and user administration with Samba you'll need to create an Administrator account on the Samba PDC Linux box. instead of an Internet network and ZoneAlarm should cease to interfere with Samba.255.162
www.
The Windows XP Built In Firewall
You may also need to disable the firewall feature of Windows XP by doing the following: o o o o o Bring up Control Panel Go through the Network and Internet Connections and then Network Connections menus.

Chapter 15 : Windows. Linux And Samba
163
Create The Administrator User Under Linux
o For each administrator user. especially if you’re using SWAT. In this case the administrator user has been made a member of the sysadmin group. create a Linux user with the adduser command: [root@bigboy tmp]# /usr/sbin/adduser -d \ /home/sysadmin/administrator \ -g sysdmin -m -k /etc/skel.smb
-n
. (Redundant in this case)
-m
-d dir_path
-k /etc/skel. The table below explains what each of the adduser command switches used. Tells RedHat NOT to create a default group with the same name as the user. Forces linux to create the directory specified with the -d switch Home directory for the new user Tells adduser to copy the contents of the directory /etc/skel.smb -n administrator o As this user may not need a real Linux login.
Adduser’s Command Switches
useradd command switch -g group Description
Sets the group to which the user should be added. This provides an added level of security. we won’t assign a real Linux password.smb to the users new home directory. Usually default login scripts.

164
www. You’ll need to restart Samba for this to take effect.conf file and add the sysadmin group to the list of Samba system administrator users.101) # Date: 2002/11/10 19:54:45 # Global parameters [global] ## ## The name I want to give my DOMAIN ## workgroup = HOMENET
.168.linuxhomenetworking. Samba domain logins use the smbpasswd password. then you'll have to use the Linux passwd command to give this user a Linux (not a Samba domain) password. Note: If you want user "administrator" to be able to log into the Linux box as a regular user via Telnet or SSH.168.com
Create An Administrator Domain Password
The Linux Administrator now needs a Samba password to log into the Windows domain. # Samba config file created using SWAT # from 192.1.
Make The Administrator One Of The Samba Admin Users
Edit /etc/samba/smb. This is done with the smbpasswd command.1. [global] admin users = @sysadmin This can also be set via SWAT in the expanded “global settings” section. Use a generic password then have users change it immediately from their workstation the usual way.101 (192.
How to Configure a Samba PDC
Create A Samba PDC
By far the easiest way to configure a Samba PDC is by using SWAT. Log into SWAT and click on the “globals” section and make sure the key highlighted parameters below are set correctly. [root@bigboy tmp]# /usr/bin/smbpasswd -a administrator password The -a adds the user administrator to the /etc/smbpasswd file.

166
www.
Manual Creation Of Machine Trust Accounts (NT Only)
When manually creating a machine trust account you need to manually create the corresponding Unix account in /etc/passwd and /etc/smbpasswd files.linuxhomenetworking. [root@bigboy nickname" -s [root@bigboy [root@bigboy tmp]# /usr/sbin/useradd -g 100 -d /dev/null -c "machine /bin/false machine_name$ tmp]# passwd -l machine_name$ tmp]# smbpasswd -a -m machine_name
.com
## ## Only users in the sysadmin group can use SWAT ## to modify Samba and ## admin users = @sysadmin printer admin = @sysadmin printing = lprng Next you will have to use SWAT to click on the “shares” button. Samba can create these “Machine Trusts” in two ways. Pay careful attention to the "$" at the end and replace machine_name with the name of the Windows client machine. either manually or automatically.
Create Your PC Machine Trusts
PDCs will only accept user logins from trusted PCs that have been placed in its PC client database. Here you will use the drop down menu to edit the netlogon and profiles shares [netlogon] ## ## Store all Samba PDC overhead data in the directory ## /home/netlogon (or whatever you desire) ## path = /home/netlogon write list = administrator guest ok = Yes [profiles] ## ## Store user profiles in this directory ## path = /home/ntprofile read only = No create mask = 0600 directory mask = 0700 guest ok = Yes browseable = No Click on the “Status” button at the top of the screen and restart Samba to make your settings take effect.

.> add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u This is probably easier to do if you use SWAT in the “Global” menu
Make Your PC Clients Aware Of Your Samba PDC
When you log into the domain.. This method is also referred to as making a machine account "on the fly". but suffice it to say that the directory must be created on the Linux box for Samba to operate correctly. This information is stored in the netlogon directory.conf to automatically add the required users.Chapter 15 : Windows. the PDC will send your new client PC a list of universal “look and feel” related features that may have been previously set by the Administrator. Check "Log onto Windows NT Domain".
Windows 95/98/ME
Windows 9x machines do not implement full domain membership and therefore don't require machine trust accounts • • • • • • Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel>Network) Select the Configuration tab Highlight "Client for Microsoft Networks" Click the Properties button. [root@bigboy tmp]# mkdir /home/netlogon [root@bigboy tmp]# chmod 0755 /home/netlogon You’ll then have to log into each PC client and do the following steps depending on their operating system.
Dynamic Creation Of Machine Trust Accounts
The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client joins the domain. defining your wall paper and setting the way dates are formatted. These include things like suppressing the splash screen. Click all the OK buttons and reboot!
...remainder of parameters. This can be done by editing /etc/samba/smb. [global] # <. How to configure the netlogon directory is beyond the scope of this chapter. Linux And Samba
167
This is the only way to configure machine trusts using Windows NT. and enter the domain name.

then go through the following steps: • Press Windows-key Break-key simultaneously to get the System Properties dialogue box
. In our case that would be user "administrator" with the corresponding smbpasswd password. This should be your Samba administrator. then go through the following steps: • • • • Navigate to the Network section of the Control Panel (Start ->Settings->Control Panel>Network ) Select the “identification” tab Click the "change" button Enter the domain name and computer name.168
www. Reboot. Click "OK" You should then get a confirmation that you’ve been added with a "Welcome to <DOMAIN>" message. then go through the following steps: • • • • • • Press Windows-key Break-key simultaneously to get the System Properties dialogue box Click on the 'Network Indentification' tab on the top Click the "Properties" button Click on the “Member of Domain” button Also enter your domain name and computer name and then click "OK" You will now be prompted for a user account and password with rights to join a machine to the domain.) You should then get a confirmation that you’ve been added with a "Welcome to <DOMAIN>" message.
• • • •
Windows 2000
Create a dynamic SAMBA machine trust account as explained above. Log in using any account in the /etc/smbpasswd file with your domain as the domain name. (See this note before proceeding.linuxhomenetworking. Reboot. do not check the box "Create a Computer Account in the Domain.
• • •
Windows XP
Create a dynamic SAMBA machine trust account as explained above. the existing machine trust account is used to join the machine to the domain." In this case.com
Windows NT
Create a manual SAMBA machine trust account as explained above. Log in using any account in the /etc/smbpasswd file with your domain as the domain name.

Use a generic password then have users change it immediately from their workstation the usual way.
Map The Linux Users To An smbpassword
Next you need to create Samba domain login passwords for all users [root@bigboy tmp]# /usr/bin/smbpasswd -a username password The -a adds the user to the /etc/smbpasswd file. Reboot. Samba will automatically give each user logged into the domain an H: drive that really maps to the /home/username directory on the Linux box. This should be your Samba administrator.
Mapping Using “My Computer”
If the auto-mapping doesn't work then do the following: • • • • Let the user log into the domain Right click on the "My Computer" icon on the desktop Click on "Map Network Drive" Select a drive letter
.
• •
How To Add Users To Your Samba Domain
Add The Users In Linux
First go through the process of adding users in Linux just like you would normally do.Chapter 15 : Windows. Linux And Samba
169
• • • • •
Click on the 'Computer Name' tab on the top Click on the 'Change' button Click on the “Member of Domain” button Also enter your domain name and computer name and then click "OK" You will now be prompted for a user account and password with rights to join a machine to the domain. Log in using any account in the /etc/smbpasswd file with your domain as the domain name.
Map A Drive Share
By default. Passwords won’t be necessary unless you want the users to log in to the Samba server via Telnet or SSH. In our case that would be user "administrator" with the corresponding smbpasswd password.

170
www. This will allow them to do such things as add software and configure network settings.bat • The next page will show you how to add regular users to your new SAMBA domain
Domain Groups And Samba
Samba supports domain groups which will allow users who are members of the group to be able to have Administrator rights on each PC in the domain.com
• •
Browse to the HOMENET domain. The argument is a space-separated list of user names or group names (group names must have an @ sign prefixed). Domain Groups also have the ability to join machines to the domain. but this is not currently supported in Samba.net ) [root@bigboy tmp]# todos /home/samba/netlogon/administrator. As the file resides on a Linux box.bat • Linux and Windows format text files slightly differently. For example: domain admin group = <USER1> <USER2> @<GROUP>
. Click on the check box "Reconnect at Logon".linuxhomenetworking. REM administrator net use P: \\bigboy\administrator • Make the file world readable: [root@bigboy tmp]# chmod +r /home/samba/netlogon/administrator. but will be interpreted bay a Windows machine. you’ll have to convert the file to the Windows format. In Windows. (You can get this package from http://speakeasy. then the user’s home directory.rpmfind. This requires the 'todos' program to be installed. • Create a master logon batch file for administrator users. The domain admin group parameter specifies users who will have domain admin rights. then you can do the following and possibly make it into a script.bat • Add the following contents to mount the user's share as drive P: (for 'private'). We will add the contents of this file to all administrator's logon scripts. [root@bigboy tmp]# vi /home/netlogon/administrator. to make the change permanent
Mapping From The Command Line
If you find the "My Computer" method too time consuming for dozens of users or if the PC doesn't have the feature available. then the Samba server.

[root@bigboy root]#
. Linux And Samba
171
How To Delete Users From Your Samba Domain
Delete The Users In Linux
First go through the process of deleting users in Linux just like you would normally do. Here we are deleting the user zmeekins and all zmeekin’s files from the Linux server: [root@bigboy tmp]# userdel -r zmeekins
Delete The Users Using smbpasswd
Next.Chapter 15 : Windows. use the smbpasswd command with the "-x" switch [root@bigboy tmp]# smbpasswd -x zmeekins Deleted user zmeekins.

o o o
. but may not be visible on your network because Samba hasn't been restarted since creating the printer. I called the printer queue EpsonC60) Click the local printer button Click "forward" You'll get the "Configure a Local Printer" menu Select /dev/lp0 as I assume the printer is on the parallel port (not USB) You'll get the "Select Print Driver" menu Scroll to the printer Double click on the name Select the driver Click "forward" You'll get the "Finish and Create the New Print Queue" menu Click finished Click "Apply" Do a test print to make sure all is OK
o
o
o
o
o
Make Samba Aware Of The Printer
The easiest way to do this is using the Samba SWAT web interface. then it has been auto configured by Samba. restart Samba and go to the next section. Once you are in SWAT: o o o Select the "Printers" button Find your printer in the drag down menu If the printer name has a [*] beside it.174
www. edit/create the printer Click on the “Commit Changes” button to create an updated /etc/samba/smb. Click on the “Status” tab at the top of the screen and restart smbd and nmbd to restart Samba. If this isn't the case.com
o
You'll now get the "Add a New Print Queue" menu Click "forward" You'll get the "Set the Print Queue name and Type" menu Give the printer an easy to remember name. If this is the case.conf file.linuxhomenetworking. (My printer is an Epson Stylus C60.

you pre installed the driver Click the "OK" button The "Add Printer Wizard" will appear Select the manufacturer of your printer Select the printer model Click the "OK" button The "Add Printer Wizard" will prompt you whether you want to use this new printer as the default printer. Click next so you can browse for your printer You should be on the "Browse for Printer" menu Double Click on the name of your Linux Samba Box You should see the new printer Click on the printer name Click the "Next" button You may get a message stating "The server on which the printer resides does not have the correct printer driver installed. click OK". Fortunately. If you want to install the driver on your local computer. Select "Yes" or "No" depending on your preference Click the "Next" button The "Completing the Add Printer Wizard" menu will appear Click the "Finish" button
o
o
o
o
o
o
o
o
. Go to the Add printer menu Click the "Next" button Select the "Network Printer" button to get the "Local or Network Printer" menu Click the "Next" button You should be on the "Locate Your Printer" menu Don't enter a name.Chapter 16: Sharing Resources With Samba
175
Configure The Printer Driver On The Workstations
o Download the Windows printer driver from the manufacturer and install it.

Click on the “Status” tab at the top of the screen and restart smbd and nmbd to restart Samba. let's add user "father" to the group. [root@bigboy tmp]# /usr/sbin/usermod -G parents father
Configure The Share In SWAT
o o o o o Finally. you might want to change the chown statement to make them owner [root@bigboy tmp]# mkdir /home/parent-files [root@bigboy tmp]# chown parents /home/parent-files [root@bigboy tmp]# chmod 0770 /home/parent-files o Next we add the group members to the new group.176
www.
. parents working in a home office environment may need a place where they can share.com
o
The new printer should now show up on the Windows Printers menu in "Control Panel" Send a test print. let’s say “onlyparents”. Click on the shares button then enter the name of the share you want to create. For example.
Create The Directory And User Group
o Create a new Linux group parents: [root@bigboy tmp]# /usr/sbin/groupadd parents o Create a new directory for the group's files. subgroups of a family need a share that is fully accessible by all members of the group. distribute or collaboratively work on documents. For instance. create the share in Samba using SWAT.
o
Creating Group Shares in SAMBA
On occasion. where parents is the name of the Linux user group. If one user is designated as the leader. Make sure the path maps to “/home/parent-files” and make the valid users be @parents. Click on the “Commit Changes” button to create a new /etc/samba/smb.conf file. Click on the “Create Share” button. Here’s how it’s done.linuxhomenetworking.

ZIP. floppy or hard drive installed on a Windows Client from the Samba server.Chapter 16: Sharing Resources With Samba
177
Your /etc/samba/smb. The next step is to make the ZIP drive shared. then the Samba server. In this section we’ll attempt to share a ZIP drive. then the share named only-parents Click on the check box "Reconnect at Logon". DVD.
Windows 98/ME
• • • • Double click 'My Computer' Right click on the ZIP drive and choose 'Sharing' Set the Share Name as 'zip' with the appropriate access control Restart windows
Windows 2000
• • • • Double click 'My Computer' Right click on the ZIP drive and choose 'Sharing' Set the Share Name as 'zip' and the appropriate access control Logout and login again as normal using your current login
.conf file should have an entry like this at the end: # Parents Shared Area [only-parents] path = /home/parent-files valid users = @parents
Map The Directory Using “My Computer”
o o o o o o Let the user log into the domain from a remote PC Right click on the "My Computer" icon on the desktop Click on "Map Network Drive" Select a drive letter Browse to the HOMENET domain. to make the change permanent
Windows Drive Sharing With Your SAMBA Server
You can also access a CD.
Windows Setup
The Windows client box should first be setup as a member of a Samba domain or workgroup.

168.255.253 ) Password: Domain=[HOMENET] OS=[Windows 5.1.------Note: You could have got the same result using the following command.------IPC$ IPC Remote IPC D$ Disk Default share print$ Disk Printer Drivers SharedDocs Disk zip Disk Printer2 Printer Acrobat PDFWriter ADMIN$ Disk Remote Admin C$ Disk Default share Server Comment --------.linuxhomenetworking. You should substitute "WinClient" with the name of your widows client PC and "username" with a valid workgroup/domain username that normally has access to the Windows client.---.0 Got a positive name query response from 192.com
Windows XP
• • • • Double click 'My Computer' Right click on the ZIP drive and choose 'Sharing and Properties' Set the Share Name as 'zip' and the appropriate access control Logout and login again as normal using your current login
Test Your Windows Client Configuration
Use the smbclient command to test your share.178
www.0.168.1. though it is less secure: [root@bigboy tmp]# smbclient -L WinClient -U username%password
Create A ZIP Drive Mount Point On Your Samba Server
You’ll need to create the mount point on the Linux server in order to mount and access the ZIP floppy.1] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------.0.
.168.255.1 bcast=127.0 added interface ip=127.1.------Workgroup Master --------.0.100 bcast=192.253 ( 192.255.168.1. Here’s how to do it.255 nmask=255.255 nmask=255.255. You should get output like this when using the username's corresponding password: [root@bigboy tmp]# smbclient -L WinClient -U username added interface ip=192.0.

Downloading and installing RPMs isn’t hard.linuxhomenetworking. Setting up a caching DNS server is fairly straightforward and will work whether or not your ISP provides you with a static or dynamic Internet IP address.my-site. A caching DNS nameserver is only used as a reference. If you want to advertise your website www.1-9. If you need a refresher.rpm
How To Get BIND Started
• You can use the chkconfig command to get BIND configured to start at boot:
. Once you have set up your caching DNS server you will then have to configure each of your home network PCs to use it as their DNS server.2. If your router/firewall is getting its Internet IP address using DHCP then you must consider dynamic DNS.com
When To Use A DNS Caching Nameserver
DNS caching servers should be used by the machines on your network to provide DNS information that it has learned from the authoritative DNS servers of the Internet. the chapter on RPMs covers how to do this in detail. then a regular DNS server would be the way to go. “fixed” or “static” IP address or via a changing “DHCP” method. Caching DNS servers then store (or cache). In this case a separate DNS server is unnecessary. [root@bigboy tmp]# rpm -Uvh bind-9.com to the rest of the world.i386.0 was version 9. Off the shelf router/firewall appliances used in most home networks will usually act as both the caching DNS and DHCP server. the most frequently requested information to reduce the lookup overhead of subsequent queries. This chapter assumes that you are using “static” Internet IP addresses. As of this writing the latest version of the BIND suite for RedHat 8.
How To Download and Install The BIND Packages
Most RedHat Linux software products are available in the RPM format. Note: Regular nameservers are also caching nameservers by default.1-9. It comes standard with the RedHat installation CDs. then a regular DNS server is what you require.
When To Use A Regular DNS Server
If you host your own website at home with full control of all the web domains and your ISP provides you with a “fixed” or “static” IP address.2. If your home PCs get their IP addresses using DHCP.
When To Use Dynamic DNS
Your DSL ISP will assign IP addresses to your home either with an unchanging. regular nameservers are used as the authoritative source of information.182
www. then you will have to configure your DHCP server to make it aware of the IP address of your new DNS server.

com.Chapter 17: Configuring DNS
183
[root@bigboy tmp]# chkconfig --level 35 named on • To start/stop/restart BIND after booting [root@bigboy tmp]# /etc/init. It generally has two columns. then the entry would just be my-site. If the server is bigboy.net and my-site. There should be only one entry per “nameserver” keyword.100 nameserver 192.d/named stop [root@bigboy tmp]# /etc/init.com search my-site. • Two nameservers.com net my-site.net my-site.1.168. If there is more than one nameserver.168. you’ll need to have multiple “nameserver” lines.d/named restart
• Remember to restart the BIND process every time you make a change to the conf file for the changes to take effect on the running process. The domains in this list must separated by spaces.168.
The /etc/resolv.102 provide DNS name resolution. 192. DNS on your client will append the server name to each domain in this list and do an nslookup on each to get the remote servers’ IP address. This is a handy time saving feature to have so that you can refer to servers in the same domain by only their servername without having to specify the domain.com If you refer to another server just by its name without the domain added on. Here is a list of keywords: Keyword Nameserver • Value IP address of your DNS nameserver.com.168.org which should be searched for short hand references to other servers. domain my-site.1. but it also is a member of domains my-site.org nameserver 192.1.
Domain
•
Search
•
Here is a sample configuration in which: • The client server’s main domain is my-site.d/named start [root@bigboy tmp]# /etc/init. the first contains a keyword and the second contains the desired value(s) separated by commas.100 and 192.102
. The local domain name to be used by default.1.my-site.conf File
This file is used by DNS clients (servers not running BIND) to determine both the location of their DNS server and the domains to which they belong.

0.my-site.255.1 The next step is to make all the other machines on your network point to the caching DNS server as their primary DNS server.linuxhomenetworking.
Configuring A Regular Nameserver
For the purposes of this tutorial.1 or: nameserver 127.com
Configuring A Caching Nameserver
The RedHat default installation of BIND is configured to convert your Linux box into a caching nameserver. notify no. the file my-site.0. The zone file is named my-site.zone and. zone "my-site.conf
o The main DNS configuration is kept in the file /etc/named.168.1 New Entry # nameserver 192.24 with a subnet mask of 255.248 (/29).168. though not explicitly stated.zone should be located in the default directory of /var/named.0.com is being set up by placing the following entries at the bottom of the /etc/named.
Configuring named.
o
. The only file you have to edit is /etc/resolv.com" { type master.conf in which you’ll have to comment out the reference to your previous DNS server (most likely your router) with a "#" or make it point to the server itself using the universal localhost IP address of 127. There are usually two zone areas in this file: Forward zone file definitions which list files to map domains to IP addresses Reverse zone file definitions which list files to map IP addresses to domains In this example the forward zone for www.255.0.158.253.184
www.conf which is used to tell BIND where to find the configuration files for each domain you own.1.1. the subnet that has been assigned to you by your ISP is 97.1 Old Entry nameserver 192.conf file.

you can place a comment at the end of any line by inserting a semi-colon “. SOA. allow-query { any. zone "253. A and CNAME) which govern different areas of BIND. Note: the reverse order of the IP address in the zone section is important.arpa" { type master. Each zone file contains a variety of records (eg. file "my-other-site. }. }. This is rarely done for home based sites. }. It is the most counter-intuitive of them all. the SOA format spans several. Here is an example for my-other-site. }. notify no. MX. file "253. By default. your zone files are located in the directory /var/named. notify no.158.zone. I’ll explain of them below and then follow it all up with an example.
Configuring The Zone Files
o o o In all zone files. You can also insert additional entries in the /etc/named.158. It just makes you able to do an nslookup query on the 97. NS.
The SOA Record
The very first record is the Start of Authority (SOA) record which contains general administrative and control information about the domain.zone". It is especially difficult to do this with your DSL ISP if you have less than 256 static IP addresses (also known as a "Class C" block of addresses).253.97. Though you would normally think a record would be a single line.” character then typing in the text of your comment. }.com using a zone file named myother-site.Chapter 17: Configuring DNS
185
allow-query { any.
o
The reverse zone definition below is optional for a home / SOHO DSL based web site. the rest of the records are relatively straight forward.
. file "my-site.x IP address and get back the true name of the server assigned that IP address. zone "my-other-site.zone".in-addr.97".conf file to reference other web domains you host.158.com" { type master.

Slaves aren't really used in home / SOHO environments. Tells the slave DNS server how often it should check the master DNS server. The regular "@" in the e-mail address must be replaced with a "." instead.186
www. Must be followed by a ". 3 4 5 Name @ IN SOA Nameserver Email • • • • • • 6 2 1 “(“ Serial • • • 3 1 Refresh • Description Signifies that the SOA record is about to begin Fully qualified name of your primary nameserver. 2." Signifies that we’re about to define some performance related variables.
4
1
Retry
•
5
1
Expire
•
6
1
Minimum TTL
•
• 2 “)“ •
. A serial number for the current configuration.com
SOA Record Format Line # 1 Column # 1. Usually in the date format YYYYMMDD with single digit incremented number tagged to the end. The email address must also be followed by a ". The amount of time external caching DNS servers should keep your DNS information before flushing the data from the cache. Total amount of time a slave will retry to contact the master before expiring the data it contains. Slaves aren't really used in home / SOHO environments." The email address of the nameserver administrator. Slaves aren't really used in home / SOHO environments. The slave's retry interval to connect the master in the event of a connection failure. As of BIND version 9 this value is overridden by the $TTL command at the very top of the configuration file.linuxhomenetworking. Signifies that we’re all finished with the variables.

my-site. followed by a ". BIND will automatically tack on the domain name.my-site. but if you forget to put the ".0.com. A And CNAME Records
Unlike the SOA record.com." after the domain in the MX record for my-site.com.1 Provides additional alternate "alias" names for servers listed in the "A" records. A and CNAME records each occupy a single line and the records each have a very similar layout.com
Blank
"NS"
N/A
MX
Domain. MX." N/A
A
Maps an IP address to each server in your domain. the NS. NS.
Server name
"A"
IP address of server
CNAME
"alias" or "nickname" for server
"CNAME"
"A" record name for server
N/A
**The Fully Qualified Domain Name (FQDN) is the full DNS name of the server such as mail." at the end of a host name in a SOA. A and CNAME Record Formats Record Description First Column Second Column Third Column IP address or CNAME of the nameserver Mail server priority Fourth Column
NS
Lists the name of the nameserver for the domain Lists the mail servers for your domain such as mysite. This may be OK in most cases. MX.0. NS.com
o
Note: If you don't put a ".mysite.
."
"MX"
CNAME of mail server or the mailserver's FQDN** followed by a ".Chapter 17: Configuring DNS
187
NS. and you will find your mail server only accepting mail for the domain my-site. There must always be an entry for localhost 127.com at the end. BIND will attach the my-site. A or CNAME record. So an "A" record with "www" will be assumed to refer to www.com. MX.

com.com
Sample Forward Zone File
Here is a working example of the zone file for my-site. minimum. seconds .158.my-site. seconds 3600 .my-site.158.com. www mail ns o A A A 97.125
o
o o
The serial number is extremely important.com.26 97.com. then you’d have an "A" record entry for each like the example below. retry. Primary Mail Exchanger
A A CNAME
127.com points to the server named mail. mail server and web server being the same machine. The minimum TTL is set to 3600 seconds.253. seconds 3600 ) . but the overriding $TTL value is 3 days. The MX record for my-site. refresh. localhost www mail MX 10 mail . expire. seconds 3600 . but in the home / SOHO environment it is not necessary to differentiate.0.26 www
Notice that in this example: o Server www. NS www .my-site. If they were all different machines.158. Primary nameservers are more commonly called “ns1” and secondary nameservers “ns2”.com "mail" is actually a CNAME or "alias" for the web server "www".134 97.
.com . So here we have an example of the nameserver.253. In corporate environments there may be a separate nameserver for this purpose. .253.1 97. .com is nameserver for my-site. You MUST increment it after editing the file or else BIND will not apply the changes you made when you restart "named". hostmaster.158. Zone file for my-site. .188
www. . The full zone file .my-site.com. serial# 3600 .253.linuxhomenetworking. ( 200211152 .0. So remote DNS caching servers will store learned DNS information from your zone for 3 days before flushing it out of their caches. $TTL 3D @ IN SOA www. Inet Address of nameserver my-site.

my-site.com. .1. seconds retry.com. dhcp-36. Zone file for 192.1. SMTP mail relay wouldn’t work for PCs that get their IP addresses via DHCP if these lines weren’t included.my-site.168.26 NAT IP address of your webserver.com. Here is a sample reverse zone file for our network. This is because NAT won’t work properly if a PC on your home network attempts to connect to the external 97.26 address of the webserver. 192.my-site.my-site.253.158.Chapter 17: Configuring DNS
189
Sample Reverse Zone File
Now we need to make sure that we can do an nslookup query on all our home network’s PCs and get their correct IP addresses. Unfortunately ISP’s won’t usually delegate this ability for anyone with less than a “Class C” block of 256 IP addresses. 200303301 8H 2H 4W 1D )
hostmaster. NS .my-site. seconds expire. . $TTL 3D @ IN SOA (
www. smallfry.com.168.168.my-site. . reggae. .
.com.com. dhcp-33.my-site.
What You Need To Know About NAT And DNS
The above examples assume that the queries will be coming from the Internet with the zone files returning information related to the external 97. serial number refresh.x . .zone .158.100. .com.com.com.32 to 192. This is very important if you are running a mail server on your network as sendmail typically will only relay mail from hosts whose IP addresses resolve correctly in DNS.1. 100 103 102 105 32 33 34 35 36 PTR PTR PTR PTR PTR PTR PTR PTR PTR bigboy.1. Most home DSL sites wouldn’t qualify. Filename: 192-168-1. .my-site. dhcp-35. seconds
.253.my-site.168. You may also want to create a reverse zone file for the public NAT IP addresses for your home network.my-site. dhcp-32.com. What do the PCs on your home network need to see? They need to see DNS references to the real IP address of the webserver. www .my-site.36 which are the addresses our DHCP server issues. ochorios. seconds minimum. Nameserver Address
Note: I have included entries for addresses 192.com. . dhcp-34.

view "internal" { // What the home network will see match-clients { localnets." IN { type hint. Note: You must place your “localhost”." zone statements in the “internal” views section.17/24. }. }.0 network. There are some built-in ACLs: “localhost” which refers to the DNS server itself. The second view called “external” will list the zone files to used for Internet users. Remember to increment your serial numbers! Here is a sample configuration snippet for the /etc/named.168. This /etc/named. Just copy it form the my-site. allow-update { none.linuxhomenetworking. All the statements below were inserted after the “options” and “controls” sections in the file.253. }.1.com
Don’t worry.0.158.arpa” and ".arpa" IN { type master. "trusted-subnet".127.X with references to 192.local".X o You must also tell the DNS server which addresses you feel are “internal” and “external”.zone".ca". }.190
www.zone file is fairly easy. You could also have a file called my-site-home. The creation of the my-site-home. zone "0. “0. This means it’s possible to use one set of zone files for queries from the Internet and another set for queries from your home network.0. “any” which is self explanatory. zone "localhost" IN { type master. localhost. zone ". “localnets” which refers to all the networks to which the DNS server is directly connected. }.253. BIND has a way around this called “views”. allow-update { none.168. }.
.conf entry would be inserted in the “external” section.in-addr.zone for lookups related to the 97. Here’s a summary of how it’s done: o Place your zone statements in the /etc/named.in-addr.X network which Internet users would see. This entry would be inserted in the “internal” section. The views feature allows you to force BIND to use pre-defined zone files for queries from certain subnets.127. For example. file "localhost.conf file I use for my home network. }. you could have a reference to a zone file called my-site.1.zone file and replace all references to 97. file "named.158.conf file in one of two “views” sections. The first section will be called “internal” and will list the zone files to be used by your internal network. file "named. This is done by first defining access control lists (ACLs) and then referring to these lists within each view section with the match-clients statement.zone for lookups by home users on the 192.168.
// ACL statement acl "trusted-subnet" { 192.

}.
view "external" { // What the Internet will see match-clients { any.17.zone". allow-query { any. The home network we have been using doesn’t need to have the ACL statement at all as the built in ACLs “localnets” and “localhost” are sufficient. Once the ACL was defined.
zone "my-site.com" { type master. notify no.zone". Note: In the above example I included an ACL for network 192.0) and localhost will get DNS data from the zone files in the “internal” view.17. file "my-other-site-home.
zone "my-other-site. the other trusted network (192.com" { type master. file "my-site. zone "my-other-site. recursion no. }. }. So in this case the local network (192. }.192.
. notify no. file "my-site-home. notify no. zone "my-site.in-addr.Chapter 17: Configuring DNS
191
zone "1. I then inserted a reference to the “trusted-subnet” in the match-clients statement in the “internal” view. }.168.zone". allow-update { none. allow-query { any. }. }. allow-query { any. allow-query { any.168.com" { type master. }. }.0 /24 called “trusted-subnet” to help clarify the use of ACLs in more complex environments. Remember. }. }.arpa" IN { type master.1.0 /24).168. file "192-168-1.168. Our network won’t need the “trustedsubnet” section in the match-clients line either. }.com" { type master. file "my-other-site.zone". this is purely an example. }. notify no.zone".

com
Loading Your New Configuration Files
o Make sure your file permissions and ownership are OK in /var/named [root@bigboy [root@bigboy total 6 -rw-r--r-.1 [root@bigboy o tmp]# cd /var/named named]# ll named named 195 Jul 3 named named 2769 Jul 3 named named 433 Jul 3 root root 763 Oct 2 named]# chown named * named]# chgrp named * named]# ll named named named named named named named named named]# 195 2769 433 763 Jul Jul Jul Oct 3 3 3 2 2001 2001 2001 16:23 localhost. If your firewall is a Linux box.local my-site.192
www.168.zone
2001 2001 2001 16:23
localhost.d/named restart
Make Sure Your /etc/hosts File Is Correctly Updated
The chapter covering Linux networking topics explains how to do this.zone named.1 -rw-r--r-.
.1 [root@bigboy [root@bigboy [root@bigboy total 6 -rw-r--r-. namely 97.1 -rw-r--r-.1 -rw-r--r-.158.ca named. Some programs such as sendmail require a correctly configured /etc/hosts file even though DNS is correctly configured. you may want to consider taking a look on the iptables chapter on how to do the NAT and allow DNS traffic trough to your nameserver.zone
The configuration files above will not be loaded until you issue the following command to restart the named process that controls DNS (Make sure to increment your configuration file serial number before doing this): [root@bigboy tmp]# /etc/init.253.1 -rw-r--r-. which is a private IP address.ca named.zone named.100. You'll have to employ NAT in order for Internet users to be able to gain access to the server via the Public IP address we chose. The actual IP address of the server is 192.1.1 -rw-r--r-.local my-site.26.linuxhomenetworking.1 -rw-r--r-.
Configure Your Firewall
The sample network we're using assumes that the BIND nameserver and Apache web server software run on the same machine protected by a router/firewall.

you'll have to create a new nameserver record entry for the IP address 97. Once. • Test your applications using server. • Ask your existing web hosting provider to add a DNS entry for your new server in the my-site.158. (This screen will prompt you for the server name only)
o
Sometimes. • Set up your server in house using a different domain. convert all the server configuration files to reference my-site.com • Test mail to users @my-site-test.my-site.com domain.com and not my-site-test.253. If anything goes wrong. Give your web server a second IP address using an IP alias. You’ll therefore have to wait about this amount of time before you’ll start noticing people hitting your new website site. If you only have one.26 to map to ns. ( 97.com in the DNS zone file to a very low value. Once the propagation is complete. (This screen will prompt you for both the server's IP address and name) Then you'll have to assign ns.com. or whatever it is.26 in this case ).com to handle your domain. but different name. knowing it will rapidly recover within minutes rather than days.my-site. and different name. it will take only 1 minute to see the results of the final DNS configuration switch to your new server.253. for example www. Domain registrars such as Verisign and RegisterFree usually provide a web interface to help you manage your domain.
How To Migrate Your Website In-House
It is important to have a detailed migration plan if you currently use an external company to host your website and wish to move the site to a server at home or in your office.my-site-test. say 1 minute.my-site. then you could either: o o Create a second nameserver record entry with the same IP address.com.com • Test web traffic to www. Your best alternative will be to request your existing service provider to set the TTL on my-site.158.com".com or whatever your nameserver is called. Now your server will be a part of both my-site. You'll have to do the following two steps: o First.my-site. Also set the TTL on this domain to 1 minute. you've logged in with the registrar's username and password. it will take at least 3-5 days for all remote DNS servers to recognize the change. the registrar will require at least two registered nameservers per domain. At the very least it should include the following steps: • There is no magic bullet which will allow you to tell all the caching DNS servers in the world to flush their caches of your zone file entries.
It normally takes about 3-4 days for your updated DNS information to be propagated to all 13 of the world’s root (“super duper”) nameservers.
.com and my-site-test. As the TTL is usually set to 3 days. you can then revert to the old configuration.my-site-test. create a second NAT entry on your firewall and then create the second nameserver record entry with the new IP address.Chapter 17: Configuring DNS
193
Fix Your Domain Registration
Remember to edit your domain registration for "my-site. so that at least one of the nameservers is your new nameserver.com Restart all the relevant applications.com or www.com • Once testing is completed.

.linuxhomenetworking. Remember. you don't have to host DNS or mail in-house. • As both TTLs were set to 1 minute previously.194
www. If your Linux box is the DHCP server. you can set the TTL back to 3 days to help reduce the volume of DNS query traffic hitting your DNS server. You can then decide whether the change will be permanent once you have failed over back and forth a few times. then you may need to refer to the DHCP server chapter. You can migrate these services in-house later as your confidence in hosting becomes greater. you'll be able to see results of the migration within minutes.
DHCP Considerations For DNS
If you have a DHCP server on your network. Finally. • Once complete. this could be left in the hands of your service provider. if you have concerns that your service provider won’t co-operate then you could explain to them that you want to test their failover capabilities to a duplicate server that you host in-house.com
• Coordinate with your web hosting provider to simultaneously update you domain registration’s DNS records to point to your new DNS server. you'll need to make it assign the IP address of the Linux box as the DNS server it tells the DHCP clients to use.

mysite. The webserver itself then has a DDNS client program running that updates the DDNS providers name servers with the most current DHCP IP address of the site. dynDDS. DDNS works by having webmasters register their DDNS sites on the DDNS provider's servers.198
www. If the Linux box is being protected behind a NAT router / firewall then the NIC will report in its data stream to the DDNS provider a private IP address which no one can reach directly via the Internet. most cable modem providers may not allow you to host sites at home. you'll have to also configure your router / firewall to do port forwarding to make all HTTP traffic destined for the IP address of the router / firewall to be exclusively NAT-ed and forwarded to a single server on your home network. The web masters then register their domains with companies such as Verisign and RegisterFree and tells these registrars to direct queries to www. In these cases.
. the DSL IP address is provided by DHCP and therefore changes from time to time. The reported value is therefore invalid. most home router / firewalls will use Network Address translation (NAT) to map a single public DHCP obtained IP addresses to the many private IP addresses within your network.
Dynamic DNS And NAT Router/Firewalls
As discussed in the introduction to networking chapter. Before considering using a dynamic DNS solution for hosting a website at home with dynamic IPs: • you must make sure your DSL provider will allow inbound connections. specifically HTTP. in order to conserve the limited number of IP addresses available for internet purposes. NAT can fool the operation of some DDNS client software. Some DDNS providers use more intelligent clients such as DDclient which can be configured to let the DDNS provider record the public IP address from which the data stream is originating. the software can only report the true IP address of the Linux box's NIC interface.com in which the IP address is dynamically assigned.com to the servers of the DDNS provider.org offers a service to overcome this limitation.com
What Is Dynamic DNS?
In many home networking environments. This chapter describes how to configure the most popular Linux based DDNS software ez-ipupdate and DDclient in the following two configurations: • on a Linux box directly connected to the Internet • on a Linux box when protected by a NAT router / firewall Remember that unlike DSL. Dynamic DNS (DDNS) allows you to host a website such as www. or else it will not work • be prepared for slower response times for your home based site than if you were using a static IP and a regular DNS service. Once this is done.my-site. • register your domain name and read your DDNS provider's instructions on how to use their name servers. An example of port forwarding with a Cisco PIX firewall is given in both the Cisco PIX firewall chapter and Net-Filter chapters.linuxhomenetworking.

minidns.net will default to a domain such as machine-name. You can give your machine's name or you can name the machine "www" to create a combined domainsubdomain of www.com and update the nameserver entries for your domain to point to the name servers of your DDNS provider.com will eventually query RegisterFree or Verisign which will then refer the query to your DDNS providers name servers which will have the most current IP address of your site because of the DDNS client software you are running at your home site.com.registerfree.com or www.com or www.com.com which would be more intuitive to use. DNS queries for my-site.verisign. The cost is about US$20 per year.
.org.net.my-site. They call it Custom DNS and it doesn't support ez-ipupdate. If you want to create your own domain such as my-site. [root@bigboy]tmp]# gunzip zip-tar-filename [root@bigboy]tmp]# tar –xvf tar-filename [root@bigboy]tmp]# cd /tmp/filename Follow the install instructions for doing the “make” or program compilation. you'll have to do a little extra work.verisign. For example miniDNS. Use the following commands to extract the contents into a new subdirectory. you'll need DDclient in this case. Most DDNS providers assume you are going to create a sub domain of their main domain.org you'll have to go with their paid service to get a customized domain name.registerfree. Then you must add a host record.
o o
Update Your DNS Registration
If you have your own domain. First you add your domain such as my-site. This chapter focuses on the services of miniDNS and DynDNS. With dynDNS.com.Chapter 18: Dynamic DNS
199
Dynamic DNS Prerequisites
Sign Up With A DDNS Provider
First you'll have to register with a DDNS provider. some of which are listed on the Bibliography. You'll have to register your domain with a DNS registrar such as www. The miniDNS registration for your own domain requires you to use the "add DNS Record" link on the registration page to create your own domain. you'll have to return to www. The ez-ipupdate installation will put the executable file in /usr/local/bin and all the files in the /tmp/filename directory will become extraneous.
Installing And Using ez-ipupdate
Download the tar/gzip file to your server’s /tmp directory from the ez-ipupdate site listed in the Bibliography.

com interface=eth0 Note: The service-type line is specific to your dynamic DNS provider which will often provide a customized /etc/ez-ipupdate. Here is an example of the steps used to install it.6.
Installing And Using DDclient
Another highly used solution is DDclient.2/COPYING …
.6.linuxhomenetworking.conf in which you must specify: o o o Your registration username and password The host name you have selected for your Linux box The NIC interface which is connected to your DSL line.200
www. you’ll have to use a client like DDclient which doesn’t have this limitation.my-site.
Here is a sample: service-type=justlinux user=registration-username:registration-password host=servername.
ez-ipupdate And NAT
The ez-ipupdate software runs as a daemon in memory continuously checking the IP address of your NIC. Check the Bibliography for the DDclient URL. some routers such as the netgear line may provide automatic DDNS service and you may not have to download the software. Before installing DDclient.conf file for you to use.tar. DDclient claims to offers support for a wide variety of routers from different manufacturers. It then communicates this information to your dynamic DNS provider.conf File
ez-ipupdate uses a configuration file named /etc/ez-ipupdate. If your Linux server is protected behind a firewall using NAT then the IP address of the NIC won't match that of the public IP address of the firewall and DDNS won't work properly. DDclient has a simple "web" update mode which tells your DDNS provider to use the source IP address of the data stream used to update your DDNS record.2/COPYRIGHT ddclient-3. The developer of DDclient has recognized the limitations of using ez-ipupdate with NAT. [root@bigboy tmp]# gunzip ddclient.tar ddclient-3. Remember.com
The /etc/ez-ipupdate.gz [root@bigboy tmp]# tar -xvf ddclient. In most Home / SOHO environments this will be the same as that of the firewalls external NAT IP address.2/ ddclient-3. In cases where "web" mode doesn't work.6. the DDclient script can also log in and parse out the external IP address of the router. read the README file to give you an idea of what to do.

com
• Install the package using the rpm command [root@bigboy tmp]# rpm -Uvh httpd-2. See either the Static DNS or Dynamic DNS pages on how to do this. Apache expects its HTML files to be located in the /var/www/html directory
How To Get Apache Started
• Use the chkconfig configure Apache to start at boot: [root@bigboy tmp]# chkconfig --level 35 httpd on • Use the httpd init script in the /etc/init.d/httpd restart • You can test whether the Apache process is running with the following command.40-8.conf.d/httpd stop [root@bigboy tmp]# /etc/init.
.i386. Examples of this will follow.rpm By default.
General Configuration Steps
The configuration file used by Apache is /etc/httpd/conf/httpd.204
www.linuxhomenetworking.0. you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep httpd
Configuring DNS For Apache
Remember that you will never receive the correct traffic unless you have configured DNS for your domain to make your new Linux box web server the target of the DNS domain's www entry.d directory to start/stop/restart Apache after booting [root@bigboy tmp]# /etc/init.d/httpd start [root@bigboy tmp]# /etc/init.

and you must only have a single <VirtualHost> section per IP address. When you use wild cards.253. The NameVirtualHost directive in the /etc/httpd/conf/httpd. which is used frequently in credit card and shopping cart web pages. then wild cards won’t work. The directory where the index page for that site is located is defined with the DocumentRoot directive. Apache interprets it as an overlap of name based and IP based <VirtualHost> directives and will give errors like this because it can’t make up its mind about which method to use:
. In this case you will not have a NameVirtualHost directive for the IP address. This makes configuration easier.253."
IP Based Virtual Hosting
The other virtual hosting option is to have one IP address per website which is also known as IP based virtual hosting. the server will first check if it is using an IP address that matches the NameVirtualHost.158.26> Directives for site #1 </VirtualHost> <VirtualHost 97. You must specify the IP address for which each <VirtualHost> section applies.
A Note On Virtual Hosting And SSL
It is common for system administrators to replace the IP address in the <VirtualHost> and NameVirtualHost directives with the “*” (all IP addresses) wildcard character. The Apache SSL module demands at least one explicit <VirtualHost> directive for IP based virtual hosting.conf file is used to tell Apache the IP addresses which will participate in this feature. then it will look at each <VirtualHost> section with a matching IP address and try to find one where the ServerName or ServerAlias matches the requested hostname. If you installed Apache with support for secure HTTPS / SSL. If no matching virtual host is found. Here is the format: NameVirtualHost 97.253. As explained on the apache website: "When a request arrives.Chapter 19: The Apache Webserver
205
Named Virtual Hosting
You can make your web server host more than one site per IP address by using Apache's "named virtual hosting" feature. Here is the format:
<VirtualHost 97.158. You can also list secondary domain names which will serve the same content as the primary ServerName using the ServerAlias directive. If it finds one. then the first listed virtual host that matches the IP address will be used.26> Directives for site #2 </VirtualHost>
Within each <VirtualHost> section you then specify the primary website domain name for that IP address with the ServerName directive. If it is.26 The <VirtualHost> sections in the file then tell Apache where it should look for the web pages used on each web site. then it uses the configuration for that server.158.

conf You will then have to restart Apache for the changes to take effect.conf file: Include conf. o o Continue using wildcards and disable SSL.com
Starting httpd: [Sat Oct 12 21:21:49 2002] [error] VirtualHost _default_:443 -.
Use Wild Cards Sparingly
The other choice is not to use virtual hosting statements with wild cards. By default. In this scenario:
.d/*.d directory. The only exception would be the very first <VirtualHost> directive which defines the web pages to be displayed when matches to the other <VirtualHost> directives cannot be found. If you think this is a server error.linuxhomenetworking.conf file you'll need to edit. This can be done by not loading all the modules from the /etc/httpd/conf. In this case we load only the php and perl modules. Run Apache with more careful use of wildcards
Disabling SSL – (Not Recommended)
If you wish to host a basic home SOHO website in which secure connections for credit card payments are unnecessary then you have the option of disabling SSL altogether.d/php.conf Include conf. all the modules in this directory are loaded with the following directive in the /etc/httpd/conf/httpd. please contact the webmaster You have two options to overcome this problem. Include conf.206
www. proceeding with undefined results If you try to load any webpage on your web server you’ll also notice an error like this: Bad request! Your browser (or proxy) sent a request that this server could not understand.d/perl.mixing * ports and non-* ports with a NameVirtualHost address is not supported.conf You can therefore do a listing of all the files in this directory and specifically load all except ssl.
Configuration – Multiple Sites And IP Addresses
What follows are snippets of the section of the /etc/httpd/conf/httpd.

158.com.26 Directory Site2 Type of Virtual Hosting Name Based
A sample snippet or a working httpd. my-site.conf file is listed below.158.my-site.my-other-site.27 Site3 Site1 Name Based IP Based IP address 97.253. www.253.com 97.253.158.Chapter 19: The Apache Webserver
207
• The systems administrator for the server has previously created DNS entries for www.26 Site1 Name Based 97.com and so traffic going to this domain • All other domains pointing to this server that don’t have a matching ServerName directive will get web pages from the directory defined in the very first <VirtualHost> section.158. Site www. In this case is directory site1.26 97.com must get content from sub-directory site3. Hitting these URLs will cause Apache to display the contents of file index.26 as in this case we have a single IP address serving different content for a variety of domains.my-site.158.com www.com was also configured to point to alias IP address 97.26 on this web server.com falls in this category. • Traffic to www.26 is therefore required.253.com All other domains www.
ServerName localhost NameVirtualHost 97.com must get content from subdirectory site2.my-other-site.default-site.253.test-site.test-site.com. A NameVirtualHost directive for 97.158.my-site.html in this directory. • Traffic going to www. The domain www.default-site. • Traffic to www.com and www.default-site.158.com www.com my-site. www. • Named virtual hosting will be required for 97.my-other-site. Remember to restart Apache every time you update the conf file for the changes to take effect on the running process.253. • There is no ServerName directive for www.158. www.253. The last section of this configuration snippet has some additional statements to ensure read-only access to your web pages with the exception of web based forms using POSTs (pages with “submit” buttons). my-site. Web Hosting Scenario Summary Domain www.test-site.com www.my-cool-site. The statements listed would normally be found at the very bottom of the file where virtual hosting statements normally reside.com.com to map to an IP address 97.26 # # Match a webpage directory with each website # <VirtualHost *> DocumentRoot /var/www/html/site1
.com will get content from directory site4.158.my-cool-site.com.default-site.27.my-cool-site.com.253.253.

A Note On Virtual Hosting And DNS
You will have to configure your DNS server to point to the correct IP address used for each of the websites you host. The chapter on static DNS shows you how to configure multiple domains such as my-site.com and my-other-site.com on your DNS server.

Using Data Compression On Web Pages
Apache also has the ability to dynamically compress static web pages into gzip format and then send the result to the remote web surfers’ web browser. Most current web browsers support this format and will transparently uncompress the data and present it on the screen. This can significantly reduce bandwidth charges if you are paying for internet access by the megabyte.

Chapter 19: The Apache Webserver

209

First you need to load Apache version 2’s deflate module in your httpd.conf file and then use Location directives to specify what type of files to compress. After making these modifications and restarting Apache you will be able to verify from your /var/log/httpd/access_log file that the sizes of the transmitted HTML pages has shrunk. Here is a comparison of the file sizes in the Apache logs and the document directory, 78,350 bytes shrunk to 15,190 bytes, almost 80% compression. Log File

Compression Configuration Example
You can insert these statements just before your virtual hosting section of your httpd.conf file to activate the compression of static pages. Remember to restart Apache when you do.

Apache Running On A Server Behind A Firewall
If your webserver is behind a firewall, and you are logged on a machine behind the firewall as well, then you may find problems when trying to access www.mysite.com of www.my-other-site.com. The reason for this is that due to NAT (Network Address translation), firewalls frequently won't allow access from their protected network to IP addresses that they masquerade on the outside. For example, in this case, Linux web server bigboy has an internal IP address of 192.168.1.100, but the firewall presents it to the world with an external IP address of 97.158.253.26 via NAT/masquerading. If you are on the inside, 192.168.1.X network, you may find it impossible to hit URLs that resolve in DNS to 97.158.253.26. The solution to this can also be solved with virtual hosting. You can configure Apache to serve the correct content when accessing www.mysite.com or www.my-other-site.com from the outside, and also when accessing the specific IP address 192.168.1.100 from the inside. Fortunately Apache allows you to specify multiple IP addresses in the <VirtualHost> statements to help you overcome this problem. Here is an example:

File Permissions And Apache
Remember that if you get a "permissions" error in your web browser after trying to browse your newly configured website, then you need to ensure that you allow "others" to have read access to the directory all the way from the root directory "/" to the target sub-directory. The appendix has a short script that you can use to recursively set the file permissions in a directory to match those expected by Apache. You may also have to use the "Directory" directive to make Apache serve the pages once the file permissions have been correctly set. If you have your files in the default /var/www/html directory then this second step becomes unnecessary.

How To Protect Web Page Directories With Passwords
You can password protect content in both the main and sub-directories of your DocumentRoot fairly easily. I know of cases where persons will allow normal access to their regular web pages, but require passwords for directories / pages that show MRTG or Webalizer data. In this example we'll show how to password protect the /var/www/html directory.

Chapter 19: The Apache Webserver

211

• Apache has a password utility called "htpasswd" which can create "username password" combinations independent of your system login password for web page access. You have to specify the location of the password file, and if it doesn't yet exist, you'll have to include a "-c" or "create" switch on the command line. I recommend placing the file in your /etc/httpd/conf directory, away from the DocumentRoot tree where web users could possibly view it. Here is an example for a first user named "peter" and a second named "paul": [root@bigboy tmp]# htpasswd -c /etc/httpd/conf/.htpasswd peter New password: Re-type new password: Adding password for user peter [root@bigboy tmp]# [root@bigboy tmp]# htpasswd /etc/httpd/conf/.htpasswd paul New password: Re-type new password: Adding password for user paul [root@bigboy tmp]# • Make the .htpasswd file readable by all users. [root@bigboy tmp]# chmod 644 /etc/httpd/conf/.htpasswd • Create a .htaccess file in the directory to which you want password control with the following entries. Remember this will password protect this directory and all its sub directories. AuthUserFile /etc/httpd/conf/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require user peter • • The AuthUserFile tells Apache to use the “.htpasswd” file The "require user" tells Apache that only user "peter" in the “.htpasswd” file should have access. If you wanted all “.htpasswd” users to have access then you'd replace this line with require valid-user "AuthType Basic" instructs Apache to accept basic unencrypted passwords from the remote users web browser.

•

• Set the correct file protections on your new .htaccess file in the directory /var/www/html. [root@bigboy tmp]# chmod 644 /var/www/html/.htaccess • Make sure your /etc/httpd/conf/http.conf file has an AllowOverride statement in a <Directory> directive for any directory in the tree above /var/www/html. In the example below, we want all directories below /var/www/ to require password authorization.

212

www.linuxhomenetworking.com

<Directory /var/www/html/*> AllowOverride AuthConfig </Directory> • You must also ensure that you have a <VirtualHost> directive that defines access to /var/www/html or another directory higher up in the tree. <VirtualHost *> ServerName 97.158.253.26 DocumentRoot /var/www/html </VirtualHost> • Restart Apache. Try accessing the web site and you'll be prompted for a password.

Issues When Upgrading To Apache 2.0
Incompatible /etc/httpd/conf/http.conf files
Your old configuration files will be incompatible when upgrading from Apache version 1.3 to Apache 2.X. The new version 2.X default configuration file is stored in /etc/httpd/conf/httpd.conf.rpmnew. For the simple virtual hosting example above, it would be easiest to: Save the old httpd.conf file with another name, httpd.conf-version-1.x for example. Copy the ServerName, NameVirtualHost, and VirtualHost sections from the old file and place them in the new file httpd.conf.rpmnew Copy the httpd.conf.rpmnew file an name it httpd.conf Restart Apache

SNMP
What is SNMP?
Most routers and firewalls keep their operational statistics in Management Information Blocks (MIBs). Each statistic has an Object Identifier (OID) and can be remotely retrieved from the MIB via the Simple Network Management Protocol (SNMP). However, as a security measure, you need to know the SNMP password or "community string" to do so. There are a number of types of community strings, the most commonly used ones are the "Read Only" community string that only provides access for viewing statistics and system parameters. In many cases the "Read Only" community string or password is set to "public". There is also a "Read Write" community string for not only viewing statistics and system parameters but also for updating the parameters too.

SNMP on a Linux Server
By default, RedHat Linux has the NetSNMP package installed to provide SNMP services. NetSNMP uses a configuration file /etc/snmp/snmpd.conf in which the community strings may be set. The version of the configuration file that comes with Net-SNMP is quite complicated. I suggest

rpm o You will also need to have a webserver package installed for MRTG to work.
Download and Install The MRTG Packages
Most RedHat Linux software products are available in the RPM format.11.3. The RedHat RPM version seems to work with Apache 1.d/httpd start [root@bigboy tmp]# /etc/init.17-8.Chapter 20: Monitoring Server Performance
215
Note: In this case we were polling localhost.rpm o You can install the package like this: [root@bigboy tmp]# rpm -Uvh mrtg-2. If you need a refresher. but you’ll need to configure Apache to start at boot using the chkconfig command: [root@bigboy tmp]# chkconfig --level 35 httpd on o Here’s how to start/stop/restart Apache after booting: [root@bigboy tmp]# /etc/init.17-8.23 . You can easily create graphs of traffic flow statistics through your home network's firewall / router or even your Linux box's NIC cards using MRTG.d/httpd stop [root@bigboy tmp]# /etc/init.i386. This is available from the RedHat website or your installation CDs. Install apache using the following command.d/httpd restart
. Downloading and installing RPMs isn’t hard.23-14. The product is available from the MRTG website and also on your distribution CDs. the chapter on RPMs covers how to do this in detail.X. we can configure a SNMP statistics gathering software package such as MRTG to create online graphs of your traffic flows. Now that we know SNMP is working correctly on your Linux server. All you need is the IP address and SNMP read only string and you’ll be able to get similar results. The most current version as of this writing was apache 1.9.9.i386. You can poll any SNMP aware network device with SNMP enabled. The latest version of the RPM for RedHat 8.
MRTG
What is MRTG?
MRTG (Multi Router Traffic Grapher) is a public domain package for producing graphs of various
types of router statistics via a web page. [root@bigboy tmp]# rpm -Uvh apache-1.3.rpm o MRTG runs automatically upon startup.i386.0 is: mrtg-2.

cfg as your argument three times. and naturally.old updating log file [root@bigboy mrtg]# mrtg /etc/mrtg/localhost.cfg [root@bigboy mrtg]# o You'll then want to use MRTG’s indexmaker command to create a combined index page to see all the graphs defined in all the various “.log to localhost_192.old updating log file Rateup WARNING: /usr/bin/rateup Can't rename localhost_192.168.100.168.1.0 and Indexmaker
RedHat version 8 gives an error like this when running indexmaker.1. [root@bigboy mrtg]# mrtg /etc/mrtg/localhost.100 Rateup WARNING: /usr/bin/rateup The backup log file for localhost_192.1.cfg Can't locate package $VERSION for @MRTG_lib::ISA at /usr/bin/indexmaker line 49
.0.cfg Rateup WARNING: /usr/bin/rateup Can't remove localhost_192.Chapter 20: Monitoring Server Performance
217
[root@bigboy mrtg]# cp /var/www/html/mrtg/*. you will find your devices at the very bottom.100. Add a new line referring to /etc/mrtg/localhost.cfg device2. [root@bigboy mrtg]# indexmaker --output=index.cfg.old updating log file [root@bigboy mrtg]# mrtg /etc/mrtg/localhost.1 When the MRTG RPM is installed it places an entry in the /etc/crontab file to make MRTG run every 5 minutes using the default /etc/mrtg/mrtg. The format of the command is: indexmaker --output=filename device1.cfg and remove the sections related to interfaces you don't need to monitor.png /var/www/html/mrtg/stats [root@bigboy mrtg]# o Edit /etc/mrtg/localhost. You'll get an error the two times as MRTG tries to rename old data files.cfg configuration file. don’t be fooled.168.cfg 0-59/5 * * * * root /usr/bin/mrtg /etc/mrtg/localhost. This would most likely include the loopback interface L0: with the IP address of 127. Note: The indexmaker command creates a very generic index page which is very similar to the MRTG home page. Once this is done.cfg etc
RedHat Version 8.1.cfg and comment out the one pointing to mrtg.168.100. MRTG has no data files to move.168. you can point your browser to http://ip-address/mrtg/ to get a graphical listing of all the monitored interfaces.100 was invalid as well Rateup WARNING: /usr/bin/rateup Can't remove localhost_192.1.cfg o Run MRTG using /etc/mrtg/localhost.html /etc/mrtg/localhost.cfg” files in your /etc/mrtg directory.cfg Rateup WARNING: /usr/bin/rateup could not read the primary log file for localhost_192.100. # 0-59/5 * * * * root /usr/bin/mrtg /etc/mrtg/mrtg.168. the first time it is run.0.1.

218
www.
Webalizer
What Is Webalizer?
Webalizer is a web server log file analysis tool that comes installed by default on RedHat Linux. The default settings should be sufficient for your web server..org has links to other sites that show you how to monitor other sub-systems on a variety of devices and operating systems.daily/00webalizer script file and adding the –Q (Quiet) switch to the webalizer command like this:
.db You can make the software run in quite mode by editing the /etc/cron. You can then add links to all the html files in the /var/www/html/mrtg/stats directory.pm line 49 eval {./lib/mrtg2/MRTG_lib. Webalizer reads your Apache log files and creates a set of web pages that allow you to view websurfer statistics for your site. This can be adjusted with the OutputDir directive in the file. Each night.linuxhomenetworking.com
main::BEGIN() called at /usr/bin/.
Make Webalizer run in Quiet Mode
Webalizer has a tendency to create this message in your logs which according to the Webalizer site’s documentation is non-critical.conf./lib/mrtg2/MRTG_lib.my-site. monthly and yearly statistics for your interfaces.com/usage
The Webalizer Configuration File
Webalizer stores its configuration in the file /etc/webalizer. By default MRTG provides only network interface statistics.mrtg. Error: Unable to open DNS cache file /var/lib/webalizer/dns_cache. so if you have a default Apache installation you’ll be able to view your data by visiting http://www.pm line 49 [root@bigboy mrtg]# You have a couple choices here: • • Run a version of indexmaker from an older version of RedHat Create your own custom index page to replace the default one in /var/www/html/mrtg.
Using MRTG To Monitor Other Subsystems
MRTG will generate HTML pages with daily. but you may want to adjust the directory in which Webalizer places your graphic statistics.} called at /usr/bin/. weekly...
How To View Your Webalizer Statistics
By default webalizer places its index page in the directory /var/www/html/usage.. The MRTG website www. The information provided includes a list of your web site’s most popular pages sorted by “hits” along with traffic graphs showing the times of day when your site is most popular.

As of this writing the latest version of the sendmail suite was version 8.12.rpm o You can use the chkconfig command to get Sendmail configured to start at boot: [root@bigboy tmp]# chkconfig --level 35 sendmail on o To start/stop/restart sendmail after booting [root@bigboy tmp]# /etc/init.12. If you need a refresher.d/sendmail stop [root@bigboy tmp]# /etc/init.12. Install all the packages in this order: [root@bigboy tmp]# rpm -Uvh sendmail-cf-8.i386. o It is best to use the latest version of sendmail as older versions have had a number of security holes.com
the main advantages of mail relaying is that when a PC user "A" sends mail to another user "B" on the Internet. Downloading and installing RPMs isn’t hard.5-7 . the PC of user "A" can delegate the SMTP processing to the mail server.linuxhomenetworking.rpm [root@bigboy tmp]# rpm -Uvh sendmail-8.5-7 . you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep sendmail
. the chapter on RPMs covers how to do this in detail.i386.rpm [root@bigboy tmp]# rpm -Uvh sendmail-devel-8.
Configuring DNS
Remember that you will never receive mail unless you have configured DNS for your domain to make your new Linux box mail server the target of the DNS domain's MX record.5-7 . Note:If mail relaying is not configured properly then your mail server could end up relaying SPAM.5-7.
Installing And Starting Sendmail
Most RedHat Linux software products are available in the RPM format. Simple sendmail security is outlined on this page.12.d/sendmail restart o Remember to restart the sendmail process every time you make a change to the configuration files for the changes to take effect on the running process. See either the Static DNS or Dynamic DNS pages on how to do this.d/sendmail start [root@bigboy tmp]# /etc/init.222
www.i386. You can also test whether the sendmail process is running with the pgrep command.

Both the newaliases and m4 commands depend on the sendmail-cf RPM package.mc > /etc/sendmail. This may not be a good idea in a production system.12. you'll get errors like this when running the script:
# RH Ver 7.cf file is version 0 No local mailer defined QueueDirectory (Q) option must be set [root@bigboy mail]#
Errors With The m4 Command
[root@bigboy mail]# m4 /etc/mail/sendmail.cf newaliases /etc/init.m4: No such file or directory [root@bigboy mail]#
. #!/bin/bash cd /etc/mail make m4 /etc/mail/sendmail.Chapter 21: Configuring Linux Mail
223
Restart Sendmail After Editing Your Configuration Files
In this chapter we’ll see that Sendmail uses a variety of configuration files which require different treatments in order for their commands to take effect.3# RH Ver 8.cf m4 /etc/mail/sendmail.d/sendmail restart Use this command to make the script executable. Delete the appropriate "m4" line depending on your version of RedHat.5 supports version 10.mc:8: m4: Cannot open /usr/share/sendmailcf/m4/cf. This little script encapsulates all the required post configuration steps.mc > /etc/mail/sendmail. This must be installed.cf /etc/mail/sendmail. The line in the script that restarts sendmail is only needed if you have made changes to the /etc/mail/sendmail. . chmod 700 filename You’ll need to run the script each time you change any of the sendmail configuration files described in the sections to follow.mc > /etc/mail/sendmail.cf file is out of date: sendmail 8. if not. but it has been included so that you don’t forget.mc file.0+
Errors With The Newaliases Command
[root@bigboy mail]# newaliases Warning: .

224
www.
Why Sendmail Only Listens On The Loopback Interface By Default
All Linux systems have a virtual loopback interface that only lives in memory with an IP address 127. Sendmail needs to be also configured to listen for messages on the NIC interface. If it isn't running. SSH or console windows. Open two telnet.com
Errors When Restarting sendmail
[root@bigboy mail]# /etc/init.0 QueueDirectory (Q) option must be set [FAILED] Starting sm-client: [ OK ] [root@bigboy mail]#
The /var/log/maillog File
Sendmail throws all its status messages in the /var/log/maillog file.0 No local mailer defined 554 5.d/sendmail restart Shutting down sendmail: [ OK ] Shutting down sm-client: [FAILED] Starting sendmail: 554 5.0. We can verify that sendmail is running by first using the pgrep command which will return the sendmail process ID number once sendmail is running. Work in one of them and monitor the sendmail status output in the other using the command [root@bigboy tmp]# tail -f /var/log/maillog
The /etc/mail/sendmail. The two most basic steps in configuring a Sendmail server are to modify this file to enable Sendmail to listen on the NIC interface and to make Sendmail to accept mail from valid web domains.0. As mail must be sent to a target IP address even when there is no NIC in the box. then the return value will be blank. Sendmail therefore uses the loopback address to send mail to users on the local box. To become a server. It is always good to monitor this file whenever you are doing changes.linuxhomenetworking.1.mc File
Most of sendmail's configuration parameters are set in this file with the exception of mailing list and mail relay security features.
. It is often viewed as an intimidating file with its series of structured "directive" statements that get the job done.0.0. Fortunately in most cases you won't have to edit this file very often. and not a client.

The chapter on DNS shows how to create your own internal domain just for this purpose.mc is a more user friendly configuration file and really is much easier to fool around with without getting burned. [root@bigboy tmp]# netstat -an | grep :25 | grep tcp tcp 0 0 127. See the italicized lines in the example below. it reads the file sendmail.Addr=::1.0:* LISTEN [root@bigboy tmp]#
Edit /etc/mail/sendmail.cf for its configuration.0. Family=inet6') dnl We strongly recommend to comment this one out if you want to protect dnl yourself from spam.
Regenerate The sendmail.cf file is located in different directories dependent on the version of RedHat you use. The sendmail. /etc/sendmail. dnl This changes sendmail to only listen on the loopback device 127.Addr=127.0 and higher. dnl FEATURE(`accept_unresolvable_domains')dnl dnl FEATURE(`relay_based_on_MX')dnl
You need to be careful with the accept_unresolvable_names feature. dnl DAEMON_OPTIONS(`Port=smtp.cf for versions 8.cf for versions up to 7.1:25 0. sendmail. the laptop and users on computers that do dnl not have 24x7 DNS do need this. In our sample network.0.3. so we use "netstat" and "grep" for "25" to see a default configuration listening only on IP address 127. Comment this out if you want dnl to accept email over the network.0. Sendmail listens on TCP port 25.1.0.1 (loopback). bigboy the mail server will not accept email relayed from any of the other PCs on your network if they are not in DNS. Name=MTA-v6.0. It is also good practice to take precautions against SPAM by not accepting mail from domains that don't exist by commenting out the "accept_unresolvable_domains" feature too.0.mc To Make Sendmail Listen On NICs Too
To correct this you'll have to comment out the daemon_options line in the /etc/mail/sendmail.0.0.mc file with "dnl" statements.1 dnl and not on any other network devices. and /etc/mail/sendmail.Chapter 21: Configuring Linux Mail
225
[root@bigboy tmp]# pgrep sendmail 22131 [root@bigboy tmp]# We can also see the interfaces on which Sendmail is listening with the “netstat” command. Note: When sendmail starts.0.0.cf file and restart sendmail. Name=MTA') dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires dnl a kernel patch dnl DAEMON_OPTIONS(`port=smtp. However. we have to regenerate a new sendmail.
.cf File
Once finished editing the file.

0.mc File
The sendmail. Here is a sample: dnl ***** Customised section 1 start ***** dnl dnl FEATURE(delay_checks)dnl FEATURE(masquerade_envelope)dnl FEATURE(allmasquerade)dnl FEATURE(masquerade_entire_domain)dnl dnl dnl dnl ***** Customised section 1 end *****
.0. The first section is near the top where the FEATURE statements usually are.0:25 0.226
www. Having easily identifiable modifications in this file will make post upgrade reconfiguration much easier.0. Sometimes sendmail will archive this file when you do a version upgrade.3 [root@bigboy tmp]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.d/sendmail restart Shutting down sendmail: [ OK ] Starting sendmail: [ OK ] [root@bigboy tmp]#
Now Make Sure Sendmail Is Listening On All Interfaces
Sendmail should start listening on all interfaces (0. and the second section is at the very bottom.mc > /etc/sendmail.0:* LISTEN [root@bigboy tmp]#
A General Guide To Using The sendmail.cf
Restart sendmail to load the new configuration
[root@bigboy tmp]# /etc/init. To make it less cluttered I usually create two easily identifiable sections in it with all the custom commands I've ever added.mc file can seem jumbled.0+ [root@bigboy tmp]# m4 /etc/mail/sendmail.com
Redhat versions up to 7.0.0.linuxhomenetworking.cf Redhat versions 8.0.0) [root@bigboy tmp]# netstat -an | grep :25 | grep tcp tcp 0 0 0.

com. example@another-site.221.my-site. Connecting to mail.com>..my-site.localdomain> 250 <root@localhost.. a poorly configured /etc/hosts file can make mail sent from your server to the outside world appear as if it came from users at localhost.com. The server would therefore be open to relay all mail from any ".168.com (Wrong!!!)
Sendmail would assume the server's name was my-site and that the domain was all of ".106].100 localhost.com Hello [67.1. Use the sendmail program to send a sample email to someone in verbose mode. Enter some text after issuing the command and end your message with a single ".com LiteMail v3.com> 250 <example@another-site.0. via esmtp.localdomain localhost bigboy.100 my-site. Sat.com bigboy mail
www
Here the IP address is followed by the hostname..120. Sender Ok >>> RCPT To:<example@another-site.another-site.168. 05 Oct 2002 06:48:44 -0400 >>> EHLO localhost. then you run the risk of having all your mail appear to come from localhost.com" domain and would ignore the security features of the access and relay-domains files we'll describe below. Recipient Ok >>> DATA
.1.com test text test text .mysite..com".localdomain>.1 192. 220 ltmail. Sendmail uses this file to determine: o o The system name The domains it is responsible for relaying
Sendmail looks for the IP address of your NIC in /etc/hosts and then assumes the first name after it is the fully qualified domain name of the server such as bigboy.com.com) followed by the hostname and all the DNS CNAMEs assigned to the server's IP address.another-site.my-site.localdomain 250-mx. If bigboy had an entry like this: 192.02(BFLITEMAIL4A).com. If you fail to put the IP address of your NIC in the /etc/hosts file altogether.. Here is a brief example: 127..
Symptoms Of A Bad /etc/hosts File
As discussed above.localdomain and not bigboy..0.domain (bigboy.localdomain and not bigboy.Chapter 21: Configuring Linux Mail
227
The /etc/hosts File
It is very important to have a correctly configured /etc/hosts file. pleased to meet you 250 HELP >>> MAIL From:<root@localhost.my-site." all by itself on the last line.another-site.com.. [root@bigboy tmp]# sendmail -v example@another-site.

(The newalias command will be explained later): [root@bigboy tmp]# sendmail -v root WARNING: local host name (bigboy) is not qualified. 250 Message accepted for delivery example@another-site..228
www. If mail sent from computer PC1 to PC2 appears to come from a user at localhost./qfg9GHK3iQ002500: savemail panic Note: You may also get this error if you are using a SPAM prevention program.localdomain is the domain that all computers use to refer to themselves. >>> QUIT [root@bigboy tmp]# Localhost. my-super-duper-site. in this example "root". fix $j in config file [root@bigboy tmp]# With the accompanying error in /var/log/maillog log file that looks like this: Oct 16 10:23:58 bigboy sendmail[2582]: My unqualified host name (bigboy) unknown. fix $j in config file [root@bigboy tmp]# newaliases WARNING: local host name (bigboy) is not qualified. or creating a new alias database file. In this case.com." on a line by itself >>> . this file does not exist in a standard RedHat install.com
354 Enter mail. Sent (Message accepted for delivery) Closing connection to mail.linuxhomenetworking. for example a script based on the PERL module Mail::Audit. You will probably get an error like this in /var/log/maillog if this happens: Oct 16 10:20:04 bigboy sendmail[2500]: g9GHK3iQ002500: SYSERR(root): savemail: cannot save rejected email anywhere Oct 16 10:20:04 bigboy sendmail[2500]: g9GHK3iQ002500: Losing . the rejected email will be returned to localhost.com and not destined for this mail server will be forwarded. sleeping for retry
The /etc/mail/relay-domains File
The /etc/mail/relay-domains file is used to determine domains from which it will relay mail. end with ". By default. An error in the script could cause this type of message too. The contents of the relay-domains file should be limited to those domains that can be trusted not to originate spam.com.. it is therefore an illegal internet domain. PC2 will see that the mail originated from localhost.another-site.localdomain and will think that the rejected email should be sent to a user on PC2 that may not exist. all mail sent from my-super-duper-site. Another set of tell tale errors caused by the same problem can be generated when trying to send mail to a user .localdomain.com
.localdomain on PC1 and is rejected.

Keywords include RELAY.168.1. localhost). REJECT.2.0. such as restricting relaying by IP address or network range and is more commonly used. only SPAM flowing through you. you may find your server being used to relay mail for SPAM email sites.
The /etc/mail/access File
You can make sure that only trusted PCs on your network have the ability to relay mail via your mail server by using the /etc/mail/access file.com RELAY RELAY RELAY RELAY RELAY RELAY RELAY
You'll then have to convert this text file into a Sendmail readable database file named /etc/mail/access.1 192. Here are the commands to do that: [root@bigboy tmp]# cd /etc/mail [root@bigboy mail]# make Remember that the relay security features of this file may not work if you don't have a correctly configured /etc/hosts file.X network and everyone passing email through the mail server from servers belonging to my-site. The /etc/mail/access file has two columns.0. then relay access is fully determined by the /etc/mail/access file.com.1.1. we allow relaying for only the server itself (127. The /etc/mail/access file has more capabilities.17 192.com if its IP address can be found in a DNS reverse zone file: localhost. OK (not ACCEPT) and DISCARD. my experience has been that control on a per email address basis is much more intuitive via the /etc/mail/virtusertable file.0. Sendmail will REJECT all other attempted relayed mail that doesn't match any of the entries in the /etc/mail/access file. Sendmail assumes it could be either and tries to match both.Chapter 21: Configuring Linux Mail
229
One disadvantage of this file is that it can only control mail based on the source domain which can be spoofed by SPAM email servers. If you delete /etc/mail/relay-domains. (In Outlook Express you set this using: Tools Menu -> Accounts -> Properties -> Servers) If you don't take the precaution of using this feature. Remember that a server will only be considered a part of my-site.168. the mail server will only relay mail for those PCs on your network that have their email clients configured to use the mail server as their "outgoing SMTP mail server". The first lists IP addresses and domains from which the mail is coming or going.db.
. That is to say. Configuring the /etc/mail/access file will not stop SPAM coming to you.localdomain localhost 127.2 my-site. everyone on your 192. Sendmail has to be restarted after editing this file for the changes to take effect. There is no third column to state whether the IP address or domain is the source or destination of the mail.168.X network.168. Despite this.0. In the sample file below. two client PCs on your home 192.16 192. The second lists the type of action to be taken when mail from these sources / destinations is received.1.168.

The true destination in the eyes of the mail server could be a local Linux user.com. .com my-other-site. If it doesn't find a duplicate.linuxhomenetworking.com In this case.my-site. For example.com
The /etc/mail/local-host-names File
When sendmail receives mail.com" DNS zonefile point to my-site.
.my-site. It uses the /etc/mail/local-host-names file to do this.com. MX 10 mail. it needs a way of determining whether it is responsible for the mail it receives.230
www.com
Which User Should Really Receive The Mail?
Sendmail uses two different methods to determine who the ultimate mail recipient will be. o o o If the mailing list member doesn't have an "@" in the name. it assumes the recipient is a local user. The first column has the mailing list name (sometimes called a virtual mailbox) and the second column has the members of the mailing list separated by commas. It checks these methods in this order: The /etc/mail/virtusertable file This file has two columns.com then the file would look like this: my-site. then sendmail assumes the recipient is on the local box. The /etc/aliases file This file has two columns too.com and the host server. It will then search the first column of the aliases file to see if the recipient isn't on yet another mailing list. Here is an example (Remember each ".com. remember to modify the MX record of the "my-other-site. Primary Mail Exchanger for my-other-site. a mailing list entry in the /etc/aliases file or the email address of someone on some other mail server to which the mail should be automatically forwarded. The second column lists the single true destination. It could be viewed as a mailing list file. if this mail server was to accept mail for the domains my-site. This file has a list of hostnames and domains for which sendmail will accept responsibility.com and my-other-site." is important): my-other-site. o o The first lists the destination to which the original sender intended to send the mail.

The first column lists the target email address and the second column lists the local user’s mail box or remote email address to which the email should be forwarded. they will all get a copy of the email message.com finance@my-site.these MUST be present.com.com receive a "bounce back" message stating "User unknown" webmaster@my-other-site. In this case "root" is actually an alias for a mailing list consisting of user "marc" and webmaster@my-site.
. "lp".db. "paul" and "finance" at my-site.com webmasters marc sales@my-other-site. and members of the mailing lists in the second column. Note: The default /etc/aliases file installed with RedHat has the last line of this sample commented out with a "#".com paul@my-site. In the example below. you may want to delete the comment and change user "marc" to another user.com will go to the sales department at my-othersite.com goes to local user (or mailing list) "paul" all other users at my-site.. mailer-daemon: postmaster postmaster: root # General redirections for pseudo accounts.com will go to local user "marc". Here are the commands to do that:
[root@bigboy tmp]# cd /etc/mail [root@bigboy mail]# make
The /etc/aliases File
This file is really a list of email aliases for local users. "daemon". "sales" at my-site.com @my-other-site. "named". It contains a list of virtual mail boxes (or mailing lists) in the first column. etc by system processes will all be sent to user (or mailing list) "root". mail sent to: o o o o webmaster@my-other-site. then it goes through the process all over again to determine each individual in the mailing list and when it is all finished. all other mail to my-other-site.com paul paul error:nouser User unknown
After editing this file you'll have to convert it into a sendmail readable database file named /etc/mail/virtusertable. "shutdown".Chapter 21: Configuring Linux Mail
231
o
If the recipient is a mailing list.com. In the example below.
The /etc/mail/virtusertable file
This file contains a set of simple instructions on what to do with received mail.com @my-site. # Basic system aliases -. "apache". you can see that mail sent to users "bin".com will go to local user (or mailing list) "webmasters"..com sales@my-site.

db. Mail to "directors@my-site. Despite this. Another is that all subscriptions and unsubscriptions have to be done manually by the mailing list administrator.mary Mail sent to "family@my-site. user “root” is only needed update the aliases file.sister
Mail sent to admin-list gets sent to all the users listed in the file /usr/home/admin/admin-list. This is important as you will get errors if you add spaces.com
bin: daemon: lp: shutdown: mail: apache: named: system: manager: abuse:
root root root root root root root root root root
# trap decode to catch security attacks decode: root # Person who should get root's mail root: marc. "brother" and "sister" # My family family:
grandma. "paul" and "mary".232
www. After editing this file you'll have to convert it into a sendmail readable database file named /etc/aliases.
.webmaster@my-site. If either of these are a problem for you. The advantage of using mailing list files is that the admin-list file can be a file that trusted users can edit. Here are a few more list examples for your /etc/aliases file. One is that bounce messages from failed attempts to broadcast goes to all users.com" goes to users "grandma". there are some problems with mail reflectors.brother. Here is the command to do that: [root@bigboy tmp]# newaliases
Simple Mailing Lists Using Aliases
In the simple mailing list example above.com Notice that there are no spaces between the mailing list entries for “root”.paul.com" goes to users "peter".com. mail sent to "root" actually goes to user account "marc" and webmaster@my-site. then consider using a mailing list manager like majordomo.linuxhomenetworking. # Directors of my SOHO company directors: peter.

if not. Here is an example: # Person who should get root's mail root: webmaster@my-site. it will have no "to:" in the email header.com then you have two choices: o o Configure your email client. Set up masquerading to modify the domain name of all traffic originating from and passing trough your mail server. we made bigboy the mailserver for the domain my-site. try making root have an alias for a user with a fully qualified domain name.com. you may find yourself dumping legitimate mail. such as Outlook Express. To get around this. When sendmail sends email to a local user. In other words you may want your mail server to handle all email by assigning a consistent return address to all outgoing mail. to set your email address to user@mysite. Here is the command to do that: [root@bigboy tmp]# newaliases
An Important Note About The /etc/aliases File
By default your system uses sendmail to mail system messages to local user "root". This explained later in this chapter in the POP Mail section.mc that all outgoing mail originating on bigboy should appear to be coming from my-site.my-site. but you may not want your website site to be remembered with the word "mail" in front of it.mc configuration file and adding some masquerading commands and directives.com.com
Sendmail Masquerading Explained
If you want your mail to appear to come from user@mysite.mysite. based on our settings in the /etc/hosts file. you'll have to convert it into a sendmail readable database file named /etc/aliases.com.Chapter 21: Configuring Linux Mail
233
# My mailing list file admin-list: ":include:/home/mailings/admin-list" After editing this file. If you then use a mail client like Outlook Express with a SPAM mail filtering rule to reject mail with no to: in the header. it will appear to come from mail. This isn't terrible.com and not user@bigboy. You now have to tell bigboy in the sendmail configuration file sendmail. These are explained below:
.
Configuring masquerading
In the DNS configuration. This can be solved by editing your sendmail. this will force sendmail to insert the correct fields in the header.db. no matter which server originated the email.com.

as Spammers often do.com. say the "to:" and "from:" should be. Feature "masquerade_envelope" will rewrite the email envelope just as "MASQUERADE_AS" rewrote the header.com. Feature "masquerade_entire_domain" makes sendmail masquerade servers named *my-site. Use this with caution.localdomain.com.com would be masqueraded too.com
FEATURE(always_add_domain)dnl FEATURE(`masquerade_entire_domain')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`allmasquerade')dnl MASQUERADE_AS(`my-site.com)dnl • • The MASQUERADE_AS directive will make all mail originating on bigboy appear to come from a server within the domain my-site. You should also tail the /var/log/maillog file to verify that the masquerading is operating correctly and check the envelope and header of test email received by test email accounts.
Other Masquerading Notes
By default. it is detrimental to email delivery to fake the envelope.com. The email envelope contains the "to:" and "from:" used by mailservers for protocol negotiation.
•
•
• •
Testing Masquerading
The best way of testing masquerading from the Linux command line is to use the "mail -v username" command.com. then only servers named mysite. Feature "always_add_domain" will always masquerade email addresses. only when you are sure you have the authority to do this. It is the envelope's "from:" which is used when email rejection messages are sent between mail servers. If you cc: yourself on an outgoing mail.com as my-site. This is achieved with the:
.')dnl MASQUERADE_AS(my-site.com and my-othersite. It is easy to fake the header.mysite. even if the mail is sent from a user on the mail server to another user on the same mail server.linuxhomenetworking. mail from sales.234
www.com would be masqueraded. I have noticed that "sendmail -v username" ignores masquerading altogether. such as Outlook Express.com domain appear to come from the MASQUERADE_AS domain of my-site. and *my-other-site. The email header is what email clients. Feature "allmasquerade" will make sendmail rewrite both recipient addresses and sender addresses relative to the local machine. In other words.com by rewriting the email header. the other recipient will see a cc: to an address he knows instead of one on localhost. user "root" will not be masqueraded.')dnl MASQUERADE_DOMAIN(`my-site. The MASQUERADE_DOMAIN directive will make mail relayed via bigboy from all machines in the my-other-site. The "to:" and "from:" in the header is what is used when you use Outlook Express to do a "reply" or "reply all". If this wasn't selected.

cpan. You'll also have to make your Linux box a POP mail server.mc. mail-filter.
.
Configuring Your POP Mail Server
Sendmail will just handle mail sent to your "my-site.com" domain.org). The most important modules are: o o o o MailTools IO-Stringy MIME-tools Mail-Audit
I have written a script called mail-filter. There are a few steps required to make the script work: o o o Install PERL and the PERL modules listed above.forward” file and place an entry in /etc/smrsh
Mail-filter will first reject all email based on the “reject” file and will then accept all mail found in the “accept” file. If you want to retrieve this mail from your Linux box's user account.forward” file in your home directory for the name of this script. It will then deny everything else. PERL doesn’t come with modules that are able to check email headers and envelopes so you will have to download them from CPAN (www. then you have a few more steps.pl that effectively filters out SPAM email for my home system. Sendmail then looks for the filename in the directory /etc/smrsh and executes it. By default. using a mail client such as Microsoft Outlook or Outlook Express. Each user on your Linux box will get mail sent to their account's mail folder. You can comment this out if you like with a "dnl" at the beginning of the line and recompiling / restarting sendmail
A Simple PERL Script To Help Stop SPAM
It is possible to limit the amount of unsolicited commercial email (UCE or SPAM) SPAM you receive by writing a small script to intercept your mail before it is written to your mailbox. which specifies the subjects and email addresses to accept. Place an executable version of the script in your home directory and modify the script’s $FILEPATH variable point to your home directory Update the two configuration files: mail-filter. I have included a simple script with instructions on how to install the PERL modules in the Appendix.Chapter 21: Configuring Linux Mail
235
EXPOSED_USER(`root')dnl command in /etc/mail/sendmail.accept.reject that specifies those that you should reject. This is fairly simple to do as sendmail always checks the “. o Update your “.

[root@bigboy tmp]# cd /etc/xinetd.d]# vi ipop3 # default: off # description: The POP3 service allows remote users # to access their mail \ # using an POP3 client such as Netscape Communicator.d [root@bigboy xinetd.d like this: [root@bigboy tmp]# /etc/init. POP Mail is deactivated by default. mutt.com
Installing Your POP Mail Server
Most RedHat Linux software products are available in the RPM format. [root@bigboy tmp]# chkconfig --level 35 xinetd on o To start/stop/restart POP mail after booting you can use the xinetd init script located in the directory /etc/init. so you’ll have to edit this file to start the program. o The IMAP/POP mail suite comes standard with the RedHat installation CDs. the chapter on RPMs covers how to do this in detail.i386.d/xinetd start [root@bigboy tmp]# /etc/init.d/ipop3 file.rpm o POP mail is started by xinetd. \ # or fetchmail.236
www. The disable feature must be set to "no" to accept connections. Downloading and installing RPMs isn’t hard.d/xinetd stop [root@bigboy tmp]# /etc/init. Therefore to get POP mail configured to start at boot you have to use the chkconfig command to make sure xinetd starts up on booting. You can install the RPM with this command: [root@bigboy tmp]# rpm -Uvh imap-2001a-15. service pop3 { socket_type = stream wait = no user = root server = /usr/sbin/ipop3d log_on_success += HOST DURATION log_on_failure += HOST disable = no }
.linuxhomenetworking. Follow the steps below and set the "disable" parameter to "no".d/xinetd restart Remember to restart the POP mail process every time you make a change to the configuration files for the changes to take effect on the running process
Configuring Your POP Mail Server
The starting and stopping of POP Mail is controlled by xinetd via the /etc/xinetd. If you need a refresher. Make sure the contents look like this.

How to handle overlapping email addresses.d directory. SMTP Set your SMTP mail server to be the IP address / domain name of your Linux mail server. both users will get sent to the Linux user account "john". Naturally. Use your Linux user username and password when prompted. You have two choices: o Make the user part of the email address is different.com pointing to account "john2".com).com pointing to account "john1" and john@my-other-site. Here’s how: POP Mail Set your POP mail server to be the IP address of your Linux mail server. to disable POP Mail once again.Chapter 21: Configuring Linux Mail
237
You will then have to restart xinetd for these changes to take effect using the startup script in the /etc/init. by default. For example: john1@my-site. You can now configure your email client such as Outlook Express to use your use your new POP / SMTP Mail Server quite easily. If the users insist on overlapping names then you may need to modify your virtusertable file. Create Linux accounts "john1" and "john2".
If you have a user overlap.
o
.com. Create the user accounts "john1" and "john2". eg.d/ipop3 file.com and john2@my-other-site. you’ll have to edit the /etc/xinetd.com) and John Brown (john@my-other-site. Have a virtusertable entries for john@mysite.
How To Configure Your Windows Mail Programs
All your POP email accounts are really only regular Linux user accounts in which Sendmail has deposited mail. set “disable” to “yes” and restart xinetd. The POP configuration in Outlook Express for each user should POP using "john1" and "john2" respectively. John Smith (john@my-site.

rpm • Install the package using the following command: [root@bigboy tmp]# rpm -Uvh dhcp-3. ddns-update-style interim # Redhat Version 8.0pl1-9.0+ subnet 192.168.220.
. # Set the amount of time in seconds that # a client may keep the IP address default-lease-time 86400.conf in the following directory which you can always use as a guide.i386.168.1.240
www.conf.linuxhomenetworking.255.1. /usr/share/doc/dhcp-<version-number>/dhcpd.255. max-lease-time 86400.conf.conf File
When DHCP starts it reads the file /etc/dhcp. # Don't forward DHCP requests from this # NIC interface to any other NIC # interfaces option ip-forwarding off.168.rpm
The /etc/dhcp.0 netmask 255.0pl1-9.i386.1.1. It uses the commands here to configure your network. the RedHat 8. # Set the default gateway to be used by # the PC clients option routers 192.201 192.com
• For example.168.0 { # The range of IP addresses the server # will issue to DHCP enabled PC clients # booting up on the network range 192.conf file: Most importantly. Normally you can find a sample copy of dhcpd.0 RPM as of this writing was: dhcp-3.1.sample Here is a quick explanation of the dhcp. there must be a "subnet" section for each interface on your Linux box.

fixed-address 192.168.1.168.255.100. For example. Check the dhcp-options man page after you do your install.Chapter 22: Configuring The DHCP Server
241
# Set the broadcast address and subnet mask # to be used by the DHCP clients option broadcast-address 192. The command to do this follows: [root@bigboy tmp]# man dhcp-options
Upgrading Your DHCP Server
Always refer to this sample file after doing an upgrade as new required commands may have been added.0 netmask 255. # Set the NTP server to be used by the # DHCP clients option nntp-server 192.168.1.0.100.222.168. # Set the DNS server to be used by the # DHCP clients option domain-name-servers 192. } # # List an unused interface here # subnet 192.255.1. These include telling the DHCP clients where to go for services such as finger and IRC.255.100.0 { } # You can also assign specific IP addresses based on the clients' # ethernet MAC address as follows (Host's name is "smallfry": host smallfry { hardware ethernet 08:00:2b:4c:59:23.255. in Redhat Version 8. # you need to include the following option in the dhcpd.0b2pl11) you will need to add the line at the very top of the config file or else you will get errors:: ddns-update-style interim
.1.255. option subnet-mask 255. }
There many more options statements you can use to configure DHCP.168. # If you specify a WINS server for your Windows clients.168.2.0 (dhcpd version 3.conf file: option netbios-name-servers 192.1.

Temporary solution
o Add the route to 255.255. we’re assuming that DHCP requests will be coming in on interface eth0).255 from the command line. you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep dhcpd • Finally. It does this by sending a standardized DHCP broadcast request packet to the DHCP server with a source IP address of 255.242
www.com
How to get DHCP started
• Before you start the DHCP server for the first time.d/dhcpd script to start/stop/restart DHCP after booting [root@bigboy tmp]# /etc/init.d/dhcpd stop [root@bigboy tmp]# /etc/init. it will request its IP address from the DHCP server.leases" to create the file if it does not exist. it will fail unless there is an existing dhcpd.255. You will have to add a route for this address on your Linux DHCP server so that it knows the interface on which to send the reply.linuxhomenetworking.d/dhcpd start [root@bigboy tmp]# /etc/init.leases • Use the chkconfig command to get DHCP configured to start at boot: [root@bigboy tmp]# chkconfig --level 35 dhcpd on • Use the /etc/init.d/dhcpd restart • Remember to restart the DHCP process every time you make a change to the conf file for the changes to take effect on the running process. You also can test whether the DHCP process is running with the following command. [root@bigboy tmp]# touch /var/lib/dhcp/dhcpd.255.leases file. Use the command "touch /var/lib/dhcp/dhcpd. (In both examples below. always remember to set your PC to get its IP address via DHCP. Note: More information on adding Linux routes and routing may be found in the Linux Networking chapter.
.255.255.
Modify Your Routes for DHCP on Linux Server
When a DHCP configured PC boots.

please get the latest from ftp. please read the section on the README about submitting bug reports and requests for help.isc. If you intend to request help from the dhcp-server@isc. exiting.isc.conf manual page for more information." Please read the dhcpd. [FAILED]
.org and have not yet read the README.244
www.linuxhomenetworking.org and install that before requesting help.isc. ** If you did not get this software from ftp. please read it before requesting help.org mailing list.com
To get the same behaviour as in 3.please send them to the appropriate mailing list as described in the README file. add a line that says "ddns-update-style ad-hoc. Please do not under any circumstances send requests for help directly to the authors of this software .0b2pl11 and previous versions.org. If you did get this software from ftp.

0 mask 255.168.1.255 is really a subnet mask limiting access to the single IP address of the remote NTP servers.
restrict otherntp.255 nomodify notrap noquery mask 255. Downloading and installing RPMs isn’t hard.1.rpm
The /etc/ntp.org restrict ntp.gov # A stratum 1 server at server.gov
mask 255.server.0 is: ntp-4.org # A stratum 2 server at research.rpm • Install the package using the following command: [root@bigboy tmp]# rpm -Uvh ntp-4.255.255. • Now list the NTP clients on our home network which should be querying our server for the time (notice that the noquery has been removed):
restrict 192. If you need a refresher.255.gov
• Then we restrict the type of access you allow these servers.255.
Download and Install The NTP Package
Most RedHat Linux software products are available in the RPM format.server.255 nomodify notrap noquery
The mask statement 255.i386.org ntp.com
There are a number of freely available NTP client programs for Windows.1-1.246
www.conf File
This is the main configuration file for Linux NTP in which you place the IP addresses of the stratum 1 and stratum 2 servers you want to use.research.0 notrust nomodify notrap
. In this example we’re not allowing them to modify or query our Linux NTP server. • The latest version of the RPM for RedHat 8.linuxhomenetworking.1-1.i386. the chapter on RPMs covers how to do this in detail.1.255.255.255.research. Here is a sample of a home configuration using a pair of sample Internet based NTP servers: • First we specify the servers we’re interested in:
server server otherntp. You can use them to practice with your new NTP server.255.

It will override all other restrict statements and you’ll find your NTP server will only be communicating properly with itself.gov 24 Mar 18:16:43 ntpdate[10255]: adjust time server 200.research.gov 24 Mar 18:16:36 ntpdate[10254]: step time server 200.1
• Last. If the line is there. you should get a response of plain old process ID numbers: [root@bigboy tmp]# pgrep ntpd
.100.10 offset -0.d/ntpd start [root@bigboy tmp]# /etc/init.conf [root@bigboy tmp]# ntpdate otherntp. • We also want to make sure that localhost (The universal IP address used to refer to a Linux server itself) has full access without any restricting keywords: restrict 127.Chapter 23: The NTP Server
247
In this case the mask statement has been expanded to include all 255 possible IP addresses on our local network. but most importantly.266188 sec [root@bigboy tmp]# ntpdate otherntp.10 offset 15.d/ntpd stop [root@bigboy tmp]# /etc/init.100.research.000267 sec
How To Get NTP Started
• To get NTP configured to start at boot: [root@bigboy tmp]# chkconfig --level 35 ntpd on • To start/stop/restart NTP after booting: [root@bigboy tmp]# /etc/init.d/ntpd restart Remember to restart the NTP process every time you make a change to the conf file for the changes to take effect on the running process • You can test whether the NTP process is running with the following command.20. you need to make sure the default restrict statement is removed.20.0. comment it out like this:
#restrict default ignore • Save the file • Do the following commands twice for each new server added to /etc/ntp.0.

168. Unlike most UDP protocols.100 ciscoswitch# ntp server 192.Chapter 23: The NTP Server
249
ciscorouter(config)# ntp server 192.168. ciscoswitch> enable password: ********* ciscoswitch# set ntp client enable ciscoswitch# ntp server 192.
.201 ciscorouter(config)# exit ciscorouter# wr mem o o ntp server: Forms a server association with another system. An explanation of the commands used follows.168. but 123 also.
CAT OS
Here are the commands you would use to make your router synchronize with NTP servers with IP addresses 192. greater than 1023).1.168.1.168. You'll have to allow UDP traffic on source/destination port 123 between your server and the Stratum 1/2 server with which you are synchronizing.1. set ntp client enable: Activate the NTP client
Firewalls and NTP
NTP servers communicate with one another using UDP with a destination port of 123. ntp update-calendar: Configures the system to update its hardware clock from the software clock at periodic intervals.1. A sample Linux iptables firewall script snippet is in the Appendix.1.201. the source port isn't a high port (ie.100 and 192.100 ciscoswitch# exit o o o ntp server: Forms a server association with another system.

252
www.com
Accessing the PIX command line
Via The Console Port
Your Cisco PIX will come with a console cable that will allow you to configure your PIX using terminal emulation software such as Hyperterm.1 pixfw 192..0. User Access Verification Password: Type help or '?' for a list of available commands.com o Once connected to the network you can access the PIX via telnet [root@bigboy tmp]# telnet pixfw Trying 192. or various programs # that require network functionality will fail.168.
Via Telnet
o One easy way to get access to any device on your network is using the /etc/hosts file..localdomain localhost 192.168. o You'll be prompted for a password and will need another password to get into the privileged "enable" mode.1 localhost. # 127. If you are directly connected to the console..168.1.my-site. you should get a similar prompt too.1. # wr term Building configuration.1.1.100 bigboy mail. Once you’ve set up all your PIX with an IP address you’ll be able to access it via Telnet.1. There is no password in a fresh out of the box PIX and simply hitting the "Enter" key will be enough.168..linuxhomenetworking.1: # Do not remove the following line.
.0. Escape character is '^]'. Here is a sample in which the PIX firewall "pixfw" has the IP address 192. Here you list all the IP addresses of important devices that you may want to access with a corresponding nickname. You will want to change your "password" and "enable password" right after completing your initial configuration. Connected to pixfw. pixfw> enable Password: ******** pixfw# o Use the "write terminal" command to see the current configuration.

253.158. from your protected PCs. and it becomes bundled in free.0 vpdn group ISP request dialout pppoe vpdn group ISP localname dsl-username vpdn group ISP ppp authentication pap vpdn username dsl-username password dsl-password In this example. then you can reduce your installation costs by: • Ordering DHCP DSL first with the free modem and/or router • Upgrade to static IPs a week later.1. If DSL .168. you may be able to hit your website using PCs behind your firewall using the firewall's outside interface's IP address as the destination.168. This service frequently isn't available for users with static IPs which the ISPs frequently feel are businesses.1.255.12.12 then the traffic passing through the firewall.com
ip address inside 192. will appear to be coming from address 97. They probably won't ask about the modem and/or router. you will have to set the default gateway on all your servers to be 192.0.1.168.2 or greater for this to work.255.100 www netmask 255.168.0.255.1 255.
NAT Configuration
Here we allow any traffic coming in on the inside (private/protected) interface to be NAT-ted to the IP address of the outside (Public/unprotected) interface of the firewall. If you really want static IP addresses and are willing to pay the higher monthly fee. the IP address of the PIX is 192.0 0 0
Dynamic DNS Port Forwarding Entries
Here we allow all incoming www traffic (on TCP port 80) destined for the firewall's interface to be forwarded to the web server at 192.1. Due to competition they'll even throw in a DSL modem and even a router for free.0.DHCP has assigned an address of 97.1.255
How To Get Static IPs For DSL Cheaply
Many ISP DSL providers offer cheap DHCP (dynamic IP) service. global (outside) 1 interface nat (inside) 1 0.0 0.linuxhomenetworking. Once configured.100 on port 80 (www). As the PIX will be acting as your default gateway to the internet.254
www.outside) tcp interface www 192.253.
.255. eg: http://firewall-outside-ip-address access-list inbound permit icmp any any access-list inbound permit tcp any any eq www access-group inbound in interface outside static (inside.1 You must be using PIX IOS version 6.168.0.1.158.

158. the default gateway is 97.25 : global (outside) 1 interface nat (inside) 1 192.253.255.253.158.30 In this example.26 192.248 (/29). you do not need the vpdn PIX command statements for static IPs ip address outside 97.158.Static IPs
PPOE authentication is only required for DSL DHCP.0.1. we then allow all incoming traffic to be forwarded to the protected web server which has an IP address of 192.253.1.158. you will have to set the default gateway on all your servers to be 192.30 If you are converting from dynamic to static IP addresses.1.255 to be NAT-ted to the IP address of the outside (Public/unprotected) interface of the firewall which is 97.1
Outgoing Connections NAT Configuration
Here we allow connections originating coming from servers connected to the inside (private/protected) interface with an IP address in the range 192.253.253.255.158.Chapter 24 : Configuring Cisco PIX Firewalls
255
Sample PIX configuration: DSL .158.255 0 0
.26 eq 53 access-list inbound permit udp any host 97. the IP address of the PIX is 192.168.168.26 eq www access-list inbound permit tcp any host 97.1 255.253.253. As the PIX will be acting as your default gateway to the internet.255.255. namely 97.0 to 192.1.168. Once configured.1. You'll have to ask a friend t check it out. you won't be able to hit your website from PCs behind your firewall using the public IP address assigned to your web server as the destination. In this example internet subnet that has been assigned is 97.168.168.253.158.168.100.1.1. access-list inbound permit tcp any host 97.0.0 97.248 ip address inside 192.253.255. Only www and DNS (Port 53) traffic is allowed to access it via an access control list applied to the outside interface.1.158.outside) 97.25.253.158.255.168.26.0 255.0 route outside 0.255.25 255.168.100 netmask 255.158.255. Once you go for static IPs.255.0.26 eq 53 access-group inbound in interface outside static (inside.0 0 0
Incoming Connections NAT Configuration
Here we allow the firewall to handle traffic to a second IP address.0 0.158.255. the vpdn statements won’t be required. The IP address selected for the PIX is 97.0.1.253.24 with a mask of 255.

User Access Verification Password: Type help or '?' for a list of available commands.1. but first a very basic introduction on how to configure and use Cisco DSL routers.linuxhomenetworking.localdomain localhost 192.0. specifically how to configure it. The introduction to networking page explains the concept in more detail in addition to other fundamental topics.1. or various programs # that require network functionality will fail..168.com o Once connected to the network you can access the router via telnet [root@bigboy tmp]# telnet ciscorouter Trying 192. Here you list all the IP addresses of important devices that you may want to access with a corresponding nickname.1.168.com
An Introduction to Network Address Translation (NAT)
Network address translation is a method used to help conserve the limited number of IP addresses available for internet purposes.168.1 localhost.1 ciscorouter 192. We will return to the NAT discussion. Escape character is '^]'.my-site.
Introduction to accessing the router command line
Via The Console Port
Your Cisco router will come with a console cable that will allow you to configure your PIX using terminal emulation software such as Hyperterm. Once you’ve set up all your router with an IP address you’ll be able to access it via Telnet. # 127..
Via Telnet
o One easy way to get access to any device on your network is using the /etc/hosts file. you should get a similar prompt too.100 bigboy mail. later in this chapter.1.168.258
www. If you are directly connected to the console. o You'll be prompted for a password and will need another password to get into the privileged "enable" mode. Here is a sample in which the router "ciscorouter" has the IP address 192. Connected to ciscorouter. There is no password in a fresh out of the box Cisco router and simply hitting the "Enter" key will be enough.1. ciscorouter> enable Password: ********
.0.1: # Do not remove the following line.

0 ip nat inside !--. Remember to be in "config" mode to enter these commands and remember to do a "write memory" at the end to permanently save the configuration Cisco DSL Router With Built-in Modem Configuration (DHCP) ! vpdn enable no vpdn logging !--. Most ISPs have a homepage where you can register to get the username and password.IP address !--.value not necesarily "1/1" ! interface ATM0
o
o
o
.255. Do the "show run" command before starting to configure your router to see what commands you'll really need.2) is the inside "private" interface ! interface FastEthernet0 ip address 192.Configure the DSL interface !--.Configure the router's PPPoE client so that it !--.168. Cisco IOS doesn’t support DHCP DSL and NAT. Some of the commands listed are part of Cisco's default settings.can setup a session with the ISP ! vpdn-group pppoe request-dialin protocol pppoe !--.Configure the home / SOHO network interface's !--. Here is a sample configuration for a Cisco home router.The "ip nat" statement tells your router that !--.260
www. If this is so.1.linuxhomenetworking.com
Sample Configurations
DSL Router With Built-In Modem .this interface: !--.255. then putting an Internet accessible web server on your home network would be impossible using the routers mentioned above in this configuration. You should substitute this username and password for PPP "username" and "password" listed below. ask customer service for the URL.1) uses NAT !--.DHCP
o DHCP and DSL requires you to get a pppoe password and username from your ISP.1 255.Your ISP may provide you with a different pvc !--.

3) Giving it an outside "public" address that is the !--same as interface Dialer1 gets from the PPPoE !--connection ! ip nat inside source list 1 interface Dialer1 overload ip classless ip route 0. This example also shows how to use NAT so you can have a web server / mail server / FTP server etc. Some of the commands listed are part of Cisco's default settings. and not the CHAP.Static IP
o Here is a sample configuration for a Cisco home router with a built-in modem.1 service timestamps debug uptime service timestamps log uptime ! hostname ciscorouter ! ip subnet-zero no ip domain-lookup ! bridge irb
o o
.linuxhomenetworking.0.262
www. Do the "show run" command before starting to configure your router to see what commands you'll really need.0.com
!--.0.0.0 dialer1 no ip http server ! access-list 1 permit 192.1 0.168.255 If your ISP tells you that you need to do the PAP.0. in your home network. type of authentication then you'll have to replace the lines: ppp authentication chap callin ppp chap hostname <username> ppp chap password <password> with only these two: ppp authentication pap callin ppp pap sent-username <username> password <password>
o
DSL Router With Built-In Modem .0.0 0. Remember to be in "config" mode to enter these commands and remember to do a "write memory" at the end to permanently save the configuration Cisco DSL Router With Built-in Modem Configuration (Static IP) Current Configuration: ! version 12.

217.26 03:29:49: NAT: Allocated Port for 192.1.34.253. The Inside global address is the IP address of the server presented to the Internet after NAT.1.1.26 to 192..217. .
.168.Chapter 25: Configuring Cisco DSL Routers
267
ciscorouter> enable Password: ******** ciscorouter#show ip nat translation Pro Inside global Inside local global tcp 97.26: wanted 80 got 80 03:29:49: NAT: o: tcp (198..6 was communicating with the inside global address of 97.1.6:5698
Outside
Cisco uses the following terms for the various IP addresses you’ll find in any NAT translation process.6:5698 ciscorouter#
Outside local --.26:80 192.158.1.133.168.26.100:80 tcp 97.217.253. NAT seems to be functioning properly for the web server 192. The example below shows that translation occurs for port 80 traffic (HTTP / www) from address 97.168.253. The Outside global the IP address of the remote computer as presented on the Internet.158.253.219.--67. in this case. 80) [0] .158.100 -> 97..253.100.158.
o o o o
As you can see..253. .100 on the home network
How To Troubleshoot NAT
To troubleshoot NAT after you have logged into the router via Telnet requires you to first activate logging to the telnet terminal with the terminal monitor command and then using the debug ip nat detailed command to visualize the translation process.168. ciscorouter> enable Password: ******** ciscorouter#term mon ciscorouter#debug ip nat detailed IP NAT detailed debugging is on ciscorouter# 03:29:49: NAT: creating portlist proto 6 globaladdr 97.26.100:80 67. 5698) -> (97. The Inside local address is the actual IP address of the local server on your home network..26:80 192.168.158.1.158..158. and more specifically that remote host 67.34. The Outside local the actual IP address of the remote computer on its local network.34.253.

com
Encryption
The process of encoding VPN data to protect it from unauthorized viewing except by the intended recipient who has the decoder key. (For more information on the IP protocol. please refer to the OSI model page)
Transport mode AH packet format
Inserted Original Original DATA IP Header AH Header TCP Header
Transport mode AH / ESP packet format
Inserted Inserted Original Original DATA IP Header AH Header ESP Header TCP Header
. AH and an ESP are often used in combination with each other.
IPSec
The name given to a number of data communications protocols designed to authenticate and encrypt VPN data to protect it from unauthorized viewing or modification as it is transmitted across a network. It does this by encrypting the data within the packet and then adding its own security header to the original IP packet.
Encapsulating Security Protocol (ESP)
The other IPSec security protocol.270
www. Provides authentication. and anti-replay services. This is called Transport Adjacency. without encryption.linuxhomenetworking. As ESP headers don't authenticate the outer IP header like AH headers. encryption.
Transport mode VPNs
The original source and destination address of the data being sent over the VPN is unchanged. Here are some examples of what transport mode VPN IP packets will look like. It does this by adding its own security header to the original IP packet. Provides authentication and anti-replay services.
Authentication Header (AH)
One of two IPSec security protocols.

header and all in an effort to provide an additional layer of security by not revealing the true identities of the servers communicating with each other. The original packet is frequently encrypted. (For more information on the IP protocol.
. please refer to the OSI model page)
Tunnel mode AH packet format
New Inserted Original Original DATA IP Header AH Header IP Header TCP Header
Tunnel mode AH / ESP packet format
New Inserted Inserted Original Original DATA IP Header AH Header ESP Header IP Header TCP Header
Authentication methods
IPSec data integrity is usually provided by one of two Hashed Message Authentication Code (HMAC) methods: o o Message Digest 5 (MD5) Secure Hash Algorithm (SHA-1). negotiates IPSec security associations. Here are some examples of what tunnel mode VPN IP packets will look like. and establishes IPSec keys.Appendix I : Miscellaneous Topics
271
Tunnel mode VPNs
The original source and destination address of the data being sent over the VPN is changed by encapsulating the original IP packet within another IP packet.
Internet Key Exchange (IKE)
IKE provides authentication of the IPSec peers.
Encryption methods
IPSec usually uses one of two methods to encrypt data: o o The Data Encryption Standard (DES) using a 56-bit encryption key Triple DES using a 168-bit encryption key.

Each peer then uses the pre-installed CA certificate they have to authenticate with the CA and securely receive the other peer's certificate from the CA using public key cryptography. Unlike the RSA method. Certificates are managed and issued by Certification authorities (CAs). authentication is complete. each VPN device must be pre-configured with the certificate generated for them by the CA.linuxhomenetworking.
. CA overview A digital certificate contains information that identifies a user or device. Prior to installing a certificate based VPN. or a "in-house" private server that you establish within your organization. Once the the certificates received from the CA and the other peer match. company. such as a name. This is done using Certification Authorities. such as VeriSign.
Shared keys
The devices at each end of the VPN use a shared key or password. The disadvantage is that each pair of VPN connections need set of keys. or IP address. The receiver verifies the signature by decrypting the message with the sender's public key. making it difficult for large scale implementations. It will also contain a copy of the entity's public key. This allows you to create a signature when the message is encrypted with a sender's private key. department. A successful exchange requires the receiver to have a copy of the sender's public key and knowing with a high degree of certainty that it really does belong to the sender. the VPN peers authenticate by sending each other the certificate issued to them by the CA. The VPN devices will also be pre-configured with the CA's certificate. there is no CA to provide an impartial audit trail of VPN connection initiations.272
www. A CA can either be a trusted public third party. but encrypted using their private key. serial number. During the key exchange.com
IKE authentication methods
There are two main methods of establishing a trusted relationship between two devices that want to create a VPN between themselves:
Public key cryptography using RSA encryption
RSA overview Each VPN device has its own public and private keys. and not to someone pretending to be the sender. Anything encrypted with one of the keys can only be decrypted with the other. Each peer then extracts the public key from the certificate they receive from the CA and then uses it to decrypt the certificate they just received from the other peer. As the message could be decrypted using the sender's public key means that the holder of the private key created the message.

Frequently the device at the other end of the connection is a PC.Appendix I : Miscellaneous Topics
273
IKE's role in creating Security Associations
Once authentication is complete. you may have to open up these ports and protocols to the CA as well. In permanent VPNs. This must also be allowed to pass through unimpeded. SAs are comprised of two factors:
Transforms
Describes how the data will be transformed by the VPN to provide the desired security. (SAs are permanent for when manually established)
Shared keys
The actual keyword used by the encryption and authentication to protect the data. the source and destination port is 500.
VPN Security And Firewalls
o o All security devices in the path of a VPN connection will have to allow "protocol 50" between the two VPN devices to ensure that IKE works properly. Unusually.
o
VPN User Authentication Methods For Temporary Connections
The above sections have been slanted towards a permanent connection between purpose built VPN devices. The VPN uses a separate channel through which the encrypted data passes. This includes: • • • • • Packet encryption methods Packet authentication methods Transport versus tunnel mode AH and or ESP usage SA lifetime before it is renegotiated. This uses UDP packets using port 500.
IKE and ISAKMP
IKE uses special ISAKMP IP packets using "protocol 50" to establish an Security Association. IKE is then used by the VPN peers to negotiate the security associations (SAs) to be used at each end point. Here are some authentication methods used in such
.

In order to login. Software uses a username. Valid usernames and passwords are configured into the VPN device at the other end of the VPN
ACE/SecurID
Windows Domain
Local user database
. but also the PIN tied to the FOB plus the FOB's dynamic serial number which is synchronized with the authentication server at the other end of the VPN. If the username / password combination is valid for remote login then the RADIUS server will authorize the VPN device to continue with the IKE interchange. Remote home user authentication relies on the same username / password combination of the Windows Domain Controller that the user would normally use to login when they are at work.linuxhomenetworking. the user not only has to enter the username & password. password in conjunction with a digital key FOB whose authentication serial number changes every few minutes for a login to occur.com
Types Of Dial Up VPN Authentication
Method IKE-XAUTH secured RADIUS Description Usernames and passwords entered into the VPN remote login software are relayed by the VPN device at the remote end to a trusted RADIUS server.274
www.

Here is a table that lists the physical ports to their equivalent Linux device names. access to the Linux box can be more cheaply provided via the COM port. I’ve included this section as I have occasionally hosted the website www. If you're using a modem for connectivity.linuxhomenetworking.Appendix I : Miscellaneous Topics
275
Running Linux Without A Monitor
You can reduce the cost of ownership of your Linux system by not using a VGA monitor. Operating costs may not be important at home. The most common occurrence is when the system is hung. but will be in a corporate environment with large numbers of Linux servers racked in data centers. For non-modem connectivity (PC to PC) connect a NULL modem cable to the COM port you want to test. In such cases. One popular Linux equivalent to Hyperterm is “minicom”. In other versions of Linux. and I need to get to it by using: • A notebook PC with a console cable connected to the COM port. but "agetty" usually isn't activated when you boot up unless its configuration file /etc/inittab is modified. then you'll need a FULL modem cable and testing will have to be done using a dial up connection. the COM1 and COM2 ports are controlled by a program called "agetty". You will also need to make sure that you have activated your COM ports in your BIOS settings. Unfortunately your BIOS may halt the system during the Power On Self Test (POST) if it doesn't detect a keyboard.com at friends’ homes and felt badly about borrowing their monitors. A brief configuration guide for minicom follows the section below.
Port
Linux "agetty" Device Name ttyS0 ttyS1
COM1 COM2
. "agetty" may be called just plain "getty".
o o
o
Configuration Steps
In RedHat Linux. This feature can usually be found on the very first screen under the “Halt On” option. Having access via the COM ports has also helped me in both the home and business situations. This creates
what is also known as a “headless” system. Make sure you disable this feature in the BIOS setup of your PC before proceeding. locking out network access. connect the other end to the client PC running "Hyperterm" or whatever terminal emulation software you are using. • A modem connected to the COM port • Telnet to login to a terminal server that has one of its ports connected to the Linux box’s COM port
Preparing To Go “Headless”
o One of the advantages of this method is that you don't need a keyboard either.

3 or 5.276
www. The "-L" means ignore modem control signals. "agetty" must attach itself to devices ttyS0 and ttyS1 and emulate a VT102 terminal running at 19200 baud. user "root" will not be able to log in from a terminal. The respawn means that agetty will restart automatically if. these lines mean: o o o At boot time.
The next step is to restart the "init" process to re-read /etc/inittab [root@bigboy tmp]# init q Now you need to configure the terminal client such “as Hyperterm” to match the speed settings in /etc/inittab.4. and celebrate when you see something like this: Red Hat Linux release 8. Connect the console / modem cable between the client and your Linux box. when the system enters runlevels 2.0 (Psyche) Kernel 2.com
The following lines added to /etc/inittab will configure your COM ports for terminal access: # Run COM1 and COM2 gettys in standard runlevels S0:235:respawn:/sbin/agetty -L 19200 ttyS0 vt102 S1:235:respawn:/sbin/agetty -L 19200 ttyS1 vt102 In summary.linuxhomenetworking. Just add ttyS0 and ttyS1 to the list if you need this access. this option should be omitted if you are connecting the port to a modem. it dies. Hit "enter" a couple times.18-14 on an i586 bigboy login: Note: By default. for whatever reason. To do this you'll have to edit the /etc/securetty file which contains the device names of tty lines on which root is allowed to login.
.

Here are the steps you’ll need to go through to get it working. You can make your Linux box emulate a dumb terminal quite easily. It is simple to use mainly because it uses a text based GUI. not the use of using Linux to dial a modem. In other words a “headless” system cannot be used to access another “headless” system using the “headless” COM port. There are a number of reasons to do this: • You run Linux on a notebook and you need to use it to access a hung “headless” Linux server via the COM port • You need to gain access to a modem connected to the COM port.Appendix I : Miscellaneous Topics
277
Make Your Linux Box Emulate A VT100 Dumb Terminal
Dumb terminals can be loosely defined as devices that allow you to log in to your system via the COM
port.)
Configuration Steps
The most commonly used Linux terminal emulation program is minicom. (This section will focus on the notebook scenario. Edit /etc/inittab # Run COM1 and COM2 gettys in standard runlevels #S0:235:respawn:/sbin/agetty -L 19200 ttyS0 vt102 S1:235:respawn:/sbin/agetty -L 19200 ttyS1 vt102 Restart init [root@bigboy tmp]# init q o Run minicom in setup mode using the minicom –s command [root@bigboy tmp]# minicom –s o You will get the setup menu
. Minicom will clash with your agetty configuration explained in the previous section. We then need to restart the init process to reload the new /etc/inittab settings. In the case below we disable agetty on COM1 by commenting out the ttyS0 agetty statements in the /etc/inittab file. COM1 will therefore be used for outbound minicom connections to other systems. o o You will first need to go through all the relevant steps listed in the “Preparing to go Headless” section of this chapter to ensure you have the right type of cable and correct BIOS settings. Other systems using minicom can use COM2 to access this system. You therefore have to disable the agetty configuration for the port on which you wish to run minicom.

. ------------------------------------------| A Serial Device : /dev/ttyS0 | | B . | | Exit | | Exit from Minicom | ---------------------------o Select the serial port setup menu item.278
www. I18n Compiled on Jun 23 2002. F-key Macros. Make the speed match that of the remote “headless” system and make sure the correct serial COM device is chosen. then Z.linuxhomenetworking.Lockfile Location : /var/lock | | C Callin Program : | | D .00. 16:41:20.Callout Program : | | E Bps/Par/Bits : 19200 8N1 | | F . then X Non “root” users will get a “permission denied” message if they use minicom as the COM ports are not normally accessible to regular users. The way to get around this is for user “root” to
.Hardware Flow Control : No | | G .0 OPTIONS: History Buffer. Device /dev/ttyS0 is COM1 and /dev/ttyS1 is COM2. this time without the “-s” [root@bigboy tmp]# minicom o Hit enter and you should get a login prompt Welcome to minicom 2. Search History Buffer. Also make sure that flow control is off. Press CTRL-A Z for help on special keys bigboy login: o o To exit minicom you type CTRL-A. Select the “Save setup as dfl” to make this your saved default setting and then “Exit from Minicom” Make sure the other system is correctly configured for headless operation.com
------[configuration]------| Filenames and paths | | File transfer protocols | | Serial port setup | | Modem and dialing | | Screen and keyboard | | Save setup as dfl | | Save setup as.Software Flow Control : No | | | | Change which setting? | ------------------------------------------o o o o Select the “Modem and dialing” option and make sure the “Init string” and “Reset string” settings are blank. Connect the cables between the systems Re-enter minicom.

[root@bigboy tmp]# chmod o+rw /dev/ttyS0
. Remember that minicom will reset the privileges to the COM port each time you change the configuration with “minicom –s” so you may find yourself having to run chmod from time to time.Appendix I : Miscellaneous Topics
279
either give everyone read/write access using the chmod command below. or add selected trusted users to your sudo configuration.

1.168.280
www. switches.1. The following examples will show how to have a different log file for each class of device.SS (facility. therefore making routers and switches log to the same file. The value provided must be in the format FF.
Cisco Routers
By default Cisco routers send syslog messages to their logging server with a default facility of local7.
service timestamps log datetime localtime no logging console no logging monitor logging 192. In all the network device configuration examples below we are logging to the remote Linux logging server 192. set set set set logging logging logging logging server enable server 192. If you have a large data center.1.168.100 level all 5 server severity 6
Cisco Local Director
Local Directors use the "syslog output" command to set their logging facility and severity. then you may also want to switch off all logging to /var/log/messages as suggested above for the home/SOHO environment.linuxhomenetworking.100
Catalyst CAT Switches running CATOS
By default Cisco switches also send syslog messages to their logging server with a default facility of local7.100 which we set up in the previous section.com
Syslog Configuration and Cisco Devices
Syslog reserves facilities "local0" through "local7" for log messages received from remote servers and network devices. but we can tell the router to timestamp the messages and make the messages have the source IP address of the loopback interface. We won't set the facility in this case.severity) using the numbering scheme below:
. firewalls and load balancers each logging with a different facility can each have their own log files for easy troubleshooting.168. We won't change this facility either. Routers.

logging logging logging logging logging logging on standby timestamp trap notifications facility 19 host inside 192.1.
Facility
Logging Facility Command Value 16 17 18 19 20 21 22 23
local 0 local 1 local 2 local 3 local 4 local 5 local 6 local 7
This configuration example assumes that the logging server is connected on the side of the "inside" protected interface.168.1.com
Cisco PIX Filewalls
PIX firewalls use the following numbering scheme to determine their logging facilities.linuxhomenetworking. This example shows the CSS11000 logging facility LOCAL 6 and severity level 6 (Informational) logging host 192. You specify the facility with an intuitive number using the "logging host" command and set the severity with the "logging subsystem" command.168.100 facility 6 set logging subsystem all info-6 logging commands enable
.282
www. We're sending log messages to facility LOCAL3 with a severity level of 5 (Notification) set by the "logging trap" command.100
Cisco CSS11000 (Arrowpoints)
This configuration for this is more straight forward.

284
www. If you create a file system called "/var" and another called "/var/log". Most Windows users would be familiar with the analogous terms "folders" and "subfolders". for example. a disk with two partitions would most likely find itself with a "C:" drive and a "D:" drive each with a separate set of folders.
What Is A Filesystem?
Filesystems can be considered as being the directory structures on a disk partition that contains all the files. the partitions hide underneath unseen to the regular user. Linux and Windows. each of which is treated as a separate disk by your operating system. whereas Linux users would be familiar with the terms "directories" and "sub-directories". Linux partitions handle all files in the subdirectory of your choice. The choice of which subdirectories belong in which partition is made when you partition the hard drive. The directory allocation will be:
Partition /var/log /var
Directory Allocation All files in directory /var/log and all the subdirectories underneath /var/log All files in /var except the contents of directory /var/log and all the subdirectories underneath /var/log
.linuxhomenetworking.
How Linux Links Filesystems And Partitions
In Windows.com
Disk Partitioning Explained
Here’s some interesting information on how Linux handles hard drives and their partitions. Partitions cannot be moved or resized without destroying the data on them. everything appears to be a single set of "folders" or directories. In Linux.
What Is A Partition?
A partition is a means of dividing your hard disk into multiple sections. In other words. This allows you to be able to boot different operating systems from the same disk.

you may look at the bottom of the table to see the settings I used for the 4GB hard disk I used to first run www. not only for controlling the boot process. In most cases. especially if you have more than 4GB. there is a high possibility that you will lose all your data.linuxhomenetworking. If all your files are located in a root filesystem that becomes corrupted. Usually recovery requires reformatting the root file system and doing a Linux reinstall. but also the normal functioning of Linux. Redhat Linux creates this partition automatically.
/boot
The /boot partition contains the Linux kernel which is the "master control program". This is a generous guide. RedHat automatically creates this partition and usually makes it about twice the amount of system RAM. a corrupted root filesystem will make your system unbootable from the hard drive.Appendix I : Miscellaneous Topics
285
What Partitions Are Mandatory?
The mandatory partitions are:
"/".
swap
Used as a location to place data temporarily if RAM memory becomes full. Also Known As "root"
The root filesystem ("/") contains the files necessary for the system to boot up in single user mode with the bare minimum of functionality.com The RedHat default partitioning scheme used during the Linux installation should be sufficient for most home / SOHO systems. It is for this reason that you should consider placing similar files in dedicated partitions. Most Linux systems then will then become multi-user systems by changing their runlevel and executing the associated startup scripts including those that will mount the remaining file systems.
Recommended Sizes For Disk Partitions
Here are some allocation suggestions that may be useful.
. This reduces the need to reformat the "root" partition if it becomes corrupted.

See the logging page for a description of the log files and how you can use the "logrotate" command to help reduce their size. [root@bigboy root]# df -k Filesystem 1K-blocks /dev/hda3 505636 /dev/hda1 46636 /dev/hda5 505605 /dev/hda7 830104 /dev/hda2 4633108 /dev/hda6 256667 [root@bigboy root]#
Used Available Use% Mounted on 90002 389529 19% / 9164 35064 21% /boot 87915 391586 19% /home 17632 770304 3% /tmp 1797504 2600252 41% /usr 169577 73838 70% /var
What Can I Do When I Run Out Of Disk Space?
o o If it is in the /home partition. You may want to also consider backing up files and then deleting them.
o
. you can ask users to delete unnecessary files such as downloaded software and MP3s If it is in the /var partition.Appendix I : Miscellaneous Topics
287
How Much Space Do I Have On My Partitions?
You can use the "df" command. then you can consider deleting some of your log files in /var/log. These are the settings I used for the hard disk I used to first run this site.

email text entered into Outlook express being converted into SMTP mail formatted data. UDP. Correctly re-sequences data packets that arrive in the wrong order. each building on the lower ones to provide a complete connectivity solution.linuxhomenetworking. • Also allows you to select your own numbering scheme for the global network independent of the MAC address which in rare cases could also be duplicated. • Used as a means of not tying the address of the server to its MAC address. • Manages the establishment and tearing down of a connection. Ensures that unacknowledged data is retransmitted. • Handles the routing of data between links that are not physically connected together.
The Seven OSI Layers
Layer Name Description Application
7
Applicati on Presentat ion
• The user interface to the application
Telnet FTP Sendmail
6
• Converts data from one presentation format to another. • Also provides the option of having multiple addresses of the same networking protocol being assigned to the same MAC address. Your network address can stay the same if the NIC is replaced. • Error control and timing of bits speeding down the wire between two directly connected devices. Each layer generally has "hooks" into the layer immediately above and below it so that the data can flow smoothly through the sub-applications designed to handle each layer.288
www. data is frequently sent using the MAC addresses of the NIC cards of the communicating devices. IP and ARP can be found in the Introduction to Networking chapter. In the home environment. • Manages continuing requests and responses between the applications at both ends over the various established connections.com
The OSI Networking Model
The Open System Interconnection (OSI) protocol suite acts as a framework for designing network based applications. • Defines the electrical and physical characteristics of the network cabling and interfacing hardware TCP UDP
5
Session
4
Transport
3
Network
IP ARP
2
Link
Ethernet ARP
1
Physical
Ethernet
. For example. Detailed descriptions of TCP. It consists of layers of sub-applications.

the packet is discarded by the router. When the value reaches zero. Version 4. IP Header TCP/UDP Header DATA
Contents Of The IP Header
Field IP Version Description The version of IP being used. If this packet is part of a fragmented datagram. The server sending the data usually sets the TTL to a value high enough to reach it's destination without being discarded.
MF Bit
Fragment Offset TTL
Protocol
Header checksum Source Address Destination Address
Indicates the IP address of the server sending the data
Indicates the IP address of the server intended to receive the data
. Time to live. 17 = UDP Used to ensure that the header contents are error free. Total length of the IP header Total length of the IP packet
IHL Total Length DF Bit
Indicator to tell whether the data in the packet may be fragmented into smaller packets due to limitations of the communications line Indicator to tell whether this data in this packet is the last one of a stream of fragments. Internet Header Length. is the current version used by most devices on the Internet. Defines the type of protocol header to expect at the end of this header. This value is decremented by each router through which the packet has passes. then this specifies where in the complete datagram the data in this packet should be inserted. For example. 6 = TCP. is a newer format which allows for a much more vast range of addresses.Appendix I : Miscellaneous Topics
289
TCP/IP Packet Format
The TCP/IP packet contains an IP header followed by a TCP or UDP header followed by the TCP/UDP data. The TTL decrement feature is used by routers as an additional precaution to prevent the packet from mistakenly being routed around the Internet in an infinite loop due to a routing error. Version 6.

In the connection-establishment phase. this field also can be used to identify an initial sequence number to be used in an upcoming transmission. Usually specifies the number assigned to the first byte of data in the current message. Carries a variety of control information.
Specifies the length of the UDP header and data Used to ensure that the header contents are error free.com
Contents Of The TCP Header
Field Source and Destination Port Sequence Number Description Identifies points at which upper-layer source and destination processes receive TCP services.290
www. and the FIN bit used for connection termination. Contains the sequence number of the next byte of data the sender of the packet expects to receive. Specifies the size of the sender's receive window (that is. including the SYN and ACK bits used for connection establishment. the buffer space available for incoming data) Used to ensure that the header contents are error free.
. Length of the TCP header.linuxhomenetworking. Contains upper-layer information
Acknowledgment Number Data Offset Flags
Window
Checksum Data
Contents Of The UDP Header
Field Source and Destination Port Length Checksum Description Identifies points at which upper-layer source and destination processes receive TCP services.

then it denies everything else.pl • Go to directory /etc/smrsh and create a logical link to the mail-filter. The script will match on a partial address too.pl will log all accepted and denied emails in a file called mail-filter.Appendix II : Codes. • The script will reject emails in which your email address doesn’t appear in the “TO:”. You do not have to have an “@” sign in the configuration files’ entries. • Mail-filter.pl • Create a . Here is a sample I’ve used at home for some time.pl • It uses two configuration files.reject lists all the mail to reject. • The script will match addresses in both the TO: and FROM: of the received email.
• Place mail-filter.cpan. File mail-filter. • The script is very tolerant of email addresses. [root@bigboy mailuser]# cd /etc/smrsh [root@bigboy smrsh]# ln –s /home/mailuser/ mail-filter. “FROM:” or “CC:”. “BCC:” emails are therefore denied. it then reads the accept file and accepts any matching emails. Here’s how to install the script: • The script runs using the PERL scripting language which is installed by default on RedHat. Here is a summary of its operation: • This script is called mail-filter. MIME-tools & Mail-Audit modules in that order. o o o Click on the CPAN home page's "modules” link Click the "All Modules" listing and download and install the MailTools. IO-Stringy.forward file in your home directory with the following text:
. Scripts and Configurations
297
Sendmail SPAM Filter Script
One of the good things about having a Linux box at home is that you can create your own customized SPAM filter.pl in your $HOME directory (default login directory) • Use the “chmod” command to make it executable [root@bigboy mailuser]# chmod 700 mail-filter. Look at this file from time to time as you may find yourself rejecting too much traffic which will require you to modify the configuration files.org to download and install a variety of PERL modules beforehand. If you receive emails as part of mailing lists. put the name of the mailing list in your “accept” file. • The script reads the “reject” file and rejects any matching emails.accept lists all the mail to accept and file mailfilter. The CPAN modules page also has a link on how to install the modules.log. • You will have to go to www.pl file there. Each file has two columns. • The first column has either the word “subject:” or “address:” and the second column has either a subject string (inclusive of spaces) or a single address entry.

. . you could access it as mail.168.my-site-internal. . .1. hostmaster.my-siteinternal. seconds 3600 .com which maps to 192.1.com and for web applications you could access it as www.my-site-internal.0. seconds 3600 .my-site-internal. retry.100 by one of two aliases depending on the role you wish it to play.com in which we can also access bigboy as bigboy.100.320
www.com. As server bigboy is also a mail and web server we have also added CNAMEs so that you can access 192.100 smallfry A 192.0.com
my-other-site.168.102 firewall A 192. ( 200211152 . .1
www mail
CNAME CNAME
bigboy bigboy
Reverse Zone File For A Home Network Using NAT
. minimum.1.0.168.com .com.my-site-internal. The full zone file . Primary Mail Exchanger
A A
127. There is also an entry for one of the home PCs named smallfry which you can now additionally access as smallfry.0. For mail.com. Zone file for my-site-internal. NS www .linuxhomenetworking. .1 97. localhost A 127. seconds .26
Forward Zone File For A Home Network Using NAT
Here is an example for a zone file for my-site-internal.168.1 bigboy A 192.253. seconds 3600 ) .158. $TTL 3D @ IN SOA www.my-site.com. expire.1. serial# 3600 . refresh.my-site-internal.com.com. localhost www
MX
10 mail.168. . Inet Address of name server .1.

.168 RELAY
Sendmail Sample /etc/aliases File
# # # # # # # # # #
@(#)aliases 8.0. # # by default we allow relaying from localhost. (search for access_db in that file) # The /usr/share/doc/sendmail/README.1 RELAY # # Relay messages from the local subnet 192.these MUST be present.com
Sendmail Sample /etc/mail/access File
# Check the /usr/share/doc/sendmail/README.322
www.2 (Berkeley) 3/5/94 Aliases in this file will NOT be expanded in the header from Mail. >>>>>>>>>> >> NOTE >> >>>>>>>>>> The program "newaliases" must be run after this file is updated for any changes to show through to sendmail.
# Basic system aliases -. localhost.localdomain RELAY localhost RELAY 127. bin: root daemon: root adm: root lp: root sync: root shutdown: root halt: root
.0.linuxhomenetworking..cf file for a description # of the format of this file.cf is part of the sendmail-doc # package. but WILL be visible over networks or from /bin/mail. mailer-daemon: postmaster postmaster: root # General redirections for pseudo accounts.

ICMP sender (router) has been configured to block access to the desired destination network.Appendix II : Codes. Destination Network Unknown ICMP sender does not have a route entry for the destination network. Reply contains IP address of best router to destination. Scripts and Configurations
327
ICMP Codes
Type 3 Description Destination Unreachable Codes Net Unreachable The sending device knows about the network but believes it is not available at this time. ICMP sender is not available for communications at this time.
. However. Host Unreachable The sending devices knows about host but doesn't get ARP reply. Port Unreachable The sending device does not support the port number you are trying to reach Fragmentation Needed and Don't The router needs to fragment the packet to forward it across Fragment was Set a link that supports a smaller maximum transmission unit (MTU ) size. using Flash Override precedence). Reply contains IP address of best router to destination. The sender is using a Type of Service (TOS) that is not available through this router for that specific host. The sender is using a Type of Service (TOS) that is not available through this router for that specific network. Source Route Failed ICMP sender can't use the strict or loose source routing path specified in the original packet. indicating the host is not available at this time Protocol Unreachable The protocol defined in IP header cannot be forwarded. Perhaps the network is too far away through the known route. Dynamically adds a network entry in original sender's routing tables. Dynamically adds a host entry in original sender's route tables. Precedence value defined in sender's original IP header is not allowed (for example. indicating this network may never have been an available. Destination Host Unknown ICMP sender does not have a host entry. Source Host Isolated Communication with Destination Network is Administratively Prohibited Communication with Destination Host is Administratively Prohibited Destination Network Unreachable for Type of Service Destination Host Unreachable for Type of Service Communication Administratively Prohibited Host Precedence Violation 5 ICMP sender (router) has been configured to not forward packets from source (the old electronic pink slip). application set the Don't Fragment bit. Redirect Codes Redirect Datagram for the Network ICMP sender (router) is not the best way to get to the (or subnet) desired network. Name
ICMP sender (router) has been configured to block access to the desired destination host. Redirect Datagram for the Host ICMP sender (router) is not the best way to get to the desired host. indicating the host may never have been available on connected network.

Time Exceeded Codes Time to Live exceeded in Transit ICMP sender (router) indicates that originator's packet arrived with a Time To Live (TTL) of 1.linuxhomenetworking. Should redirect application to another host. Bad Length Original packet structure had an invalid length.com
Type
6
11
12
Name Description Redirect Datagram for Type of the ICMP sender (router) does not offer a path to the Service and Network destination network using the TOS requested. Dynamically adds a host entry in original sender's route tables. Dynamically adds a network entry in original sender's route tables. Fragment Reassembly Time ICMP sender (destination host) did not receive all fragment Exceeded parts before the expiration (in seconds of holding time) of the TTL value of the first fragment received. Parameter Problem Codes Pointer indicates the error Error is defined in greater detail within the ICMP packet. Routers cannot decrement the TTL value to 0 and forward the packet.
. Missing a Required Option ICMP sender expected some additional information in the Option field of the original packet.328
www. Redirect Datagram for the Type of ICMP sender (router) does not offer a path to the Service and Host destination host using the TOS requested. Alternate Host Address Codes Alternate Address for Host Reply that indicates another host address should be used for the desired service.